Russian spy malware called CosmicDuke has been spotted this week trying to infect new targets using the lure of information about this week's Scottish independence vote.
The attack was spotted by Finnish security firm F-Secure whose chief research officer Mikko Hypponen has identified CosmicDuke as “Russian espionage malware”.
And the company believes the most likely targets of the social engineering attack are Scottish oil companies and related contractors – who are “probably too complacent at this point with their assessment of how big a target they are”.
F-Secure described in an 18 September blog how the CosmicDuke lure was sent out before the Scottish independence vote on Thursday. But it used a plausible decoy document from the Associated Press that was only published on Monday - a demonstration of the attackers' speed and capabilities.
Sean Sullivan, F-Secure security adviser, gave more details. He told SCMagazineUK.com that rather than the Russian state, F-Secure believes the attack was “run by Russian civilians who probably have a particular nation state buyer”. He described the attackers as “probably opportunistic freelancers”.
Sullivan said: “We've got some organisation that's gotten tired of stealing credit cards or has learned from credit cards thieves and has decided to use off-the-shelf technology to get into the espionage business.
“They are freelance contactors, they're privateers, they're corporate raiders – real corporate raiders, sailing the high seas and ripping off content.”
Sullivan said the Scottish independence attack had a “very similar footprint” to the recent cyber raid on around 300 oil and energy companies in Norway.
“Like Norway, I would be shocked if the different oil companies and the contractors that support the oil companies in Scotland haven't been targeted here. I would be shocked if they haven't been compromised,” he said.
Sullivan also warned that such firms are likely not taking enough safeguards against the cyber threat.
“The folks in that sector are probably far too complacent about protecting their intellectual property and trade secrets at this point. Everybody outside the defence contractor industry is probably too complacent at this point with their assessment of how big a target they are.”
The CosmicDuke malware involved in the campaign hit the headlines in July when it surfaced as a ‘mongrel' hybrid of the MiniDuke malware family.
F-Secure dubbed it ‘CosmicDuke' because it uses the same loader as MiniDuke, combined with the payload from the Cosmu family of information stealers.
In July, CosmicDuke was uncovered by both Kaspersky Labs and F-Secure, with Kaspersky reporting that it had attacked 14 targets in the UK, along with hundreds of others in the US, Russia, Georgia, India and elsewhere.
Kaspersky said these targets included governments, diplomatic organisations, energy companies, telecom operators, military contractors and individuals involved in the traffic and selling of illegal and controlled substances.
MiniDuke itself was discovered in 2103 being used in a series of attacks against Nato and European government agencies.