Eastern Ukraine separatists seemingly targeted in Operation Groundbait APT

Researchers have discovered a malware-based APT dating back to 2008 that at least appears to target political enemies of Ukraine, including pro-Russia separatists in the disputed eastern region of the country.

Operation Groundbait appears to primarily target separatists in Eastern Ukraine
Operation Groundbait appears to primarily target separatists in Eastern Ukraine

No stranger to cyber-espionage, Ukraine and its government have been victim to some high-profile advanced persistent threat campaigns. But now researchers have discovered yet another malware-based APT dating back to 2008 that at least appears to target political enemies of Ukraine, including pro-Russia separatists in the disputed eastern region of the country.

Researchers at ESET uncovered the malware, dubbed “Prikormka,” or “Groundbait” in English, and a corresponding APT campaign that has gone after specific individuals primarily via spear-phishing tactics. According to an ESET white paper, evidence suggests that this is “the first publicly known Ukrainian malware that is being used in targeted attacks.”

Operation Groundbait appears to have originated within Ukraine itself, with command and control servers located in Ukraine and hosted by Ukrainian hosting companies. Its targets have primarily included anti-government separatists in the Donetsk and Luhansk regions, but also certain Ukrainian officials, politicians and journalists, and a few individuals in neighbouring countries including Russia.

Although the APT campaign dates as far back as 2008, the number of infections spiked markedly in 2015, jumping from 44 known incidents in 2014 to 178 the following year. There have so far been 39 unique infections discovered in 2016. “The attacks against high-value targets and separatists really took off in 2015 and that's what triggered our attention,” said Robert Lipovsky, senior malware researcher at ESET, in an email correspondence with SCMagazine.com. ESET first detected the threat in the third quarter of 2015.

The spear-phishing emails used in the campaign have been carefully crafted to lure intended victims with specialised content that would likely appeal to them. In some cases, the attackers used provocative file names and decoy documents that referenced Ukrainian military attacks on civilians, missives from rebel leadership and the war in Donbass, the region that incorporates Donetsk and Luhansk. 

Much of the discovered content was written in Russian, the primary language of eastern Ukraine's self-declared independent states — although malicious emails sent to certain individuals in the western Ukraine were written in Ukrainian.

Oddly, one phishing email featured an actual fishing (that's fishing with an “f”) theme, which referenced “Prikormka,” or groundbait, a type of fish bait. ESET could not explain why fishing equipment was used as a lure, but it was unique enough to inspire the name of the APT campaign. “That is very strange indeed… Perhaps the attackers were targeting someone who was an avid fisher,” Lipovsky noted wryly.

While evidence points to a Ukrainian cyber-espionage operation, ESET could not draw definitive conclusions. When asked if Groundbait could theoretically be the work of Russians or another third party spying on the separatists, Lipovsky acknowledged that this could be the case. “[Another possibility] that should be considered is a false flag operation,” said Lipovsky, noting the possibility that the campaign could be disguising its true intentions. “While separatists form the majority of the targets, there are also other targets within the [Western] Ukrainian government — politicians, and so on,” he cautioned.

ESET also reported that each sample of Groundbait/Prokormka malware contained a “Campaign ID” — ostensibly, a unique text string that used to identify specific infection attempts.  The research firm was able to identify over 80 distinct Campaign IDs.

The malware first deploys a dropper, an initial component typically sent as an attachment with an .scr or .exe file extension and compressed into an archive. The dropper uses a common APT technique known as DLL (Dynamic Link Library] load-order hijacking so that the malicious campaign starts automatically upon every system boot. It also deploys anti-sandboxing techniques to help avoid malware detection efforts.

Groundbait/Prokormka then downloads and stores a series of modules on the infected system's disk in the form of DLL files. The attacker can choose which individual modules to download, depending on the campaign's specific purpose. ESET discovered modules that, among other nefarious deeds, can record Skype conversations, capture audio from a microphone, log keystrokes, and steal credentials, data and documents.