Operation Ghoul attacks terrorise industrial and engineering orgs

Kaspersky researchers spotted a wave of attacks that has affected more than 130 organisations in at least 30 countries.

Dubbed Operation Ghoul, the group behind the attacks appears to be financially motivated and targets executives at mostly small to medium-sized industrial manufacturing and engineering organisations by using spear-phishing emails that include compressed executables, Kaspersky senior security researcher Mohamad Amin Hasbini said in a 17 August blog post.

The malicious emails appear to come from a bank in the United Arab Emirates and deliver a malware based on the Hawkeye commercial spyware, which is designed to collect data such as passwords, keystrokes and screenshots, to send to the attackers.

The attacks trace back to March 2015 and the most recent waves off attacks started on 8 June and 27 June 2016.

So far, more than 130 organisations have been hit and while the campaign has been highly active in the Middle East, attacks have been spotted in several regions.

Hasbini said the phishing attacks work across all platforms, noting that victims were inserting their credentials using Windows, Mac OS X, Ubuntu, iPhone, and Android devices.

Although phishing attacks have long been a valuable technique for cyber-criminals since they are difficult for well trained humans and software to detect, the bigger problem is lack of awareness of these type of attacks, Tripwire security researcher Lane Thames told SCMagazine.com via emailed comments.

“No new innovation was used by this attack campaign,” Thames said. “Instead, these cyber-criminals were using existing malware and phishing emails to infiltrate their victims' networks.”

He said organisations should implement training programmes to help users better understand the aspects of spam, phishing and malware.