lolloj - Fotolia
Cyber espionage campaign targets Ukraine separatists
Security researchers discover a surveillance operation against separatists in Eastern Ukraine using spear phishing attacks to spread previously unknown malware
Researchers at security firm Eset have uncovered an ongoing surveillance operation against separatists in Eastern Ukraine using previously unknown malware.
Detected as Win32/Prikormka, the malware has eluded the attention of antimalware researchers since at least 2008. It has been carrying out cyber-espionage activities primarily targeting anti-government separatists in the self-declared Donetsk and Luhansk People's Republics.
The malware features a modular architecture, allowing attackers to expand its functionality and steal various types of sensitive information and files from the cyber-surveillance targets, the researchers said.
Further technical details of the malware, as well as additional information on the ongoing cyberespionage operation, can be found in Eset’s comprehensive whitepaper.
“Along with the armed conflict in the east of Ukraine, the country has been encountering numerous targeted cyberattacks, or so-called advanced persistent threats,” said Robert Lipovský, senior malware researcher at Eset.
“For example, we discovered several campaigns using the now-infamous BlackEnergy malware family, one of which resulted in a massive power outage. But in the survellance operation, previously unknown malware is used,” he said.
Read more about cyber espionage
- A cyber espionage group has targeted high-profile technology, internet, commodities and pharmaceutical companies in the US, Europe and Canada, reports Symantec.
- A cyber espionage campaign against military, diplomatic and defence industry targets in the US and Europe is discovered.
- IT security firm FireEye claims to have uncovered a decade-long cyber espionage campaign against firms in south-east Asia and India.
- The UK has been hit more than 100 times in an advanced global cyber espionage campaign that has gone undetected for more than five years.
Phishing email shares a joke
The infection vector used to spread the malware in surveillance operation, dubbed Operation Groundbait, was mostly via spear phishing emails.
“During our research, we observed a large number of samples, each with its designated campaign ID and an appealing file name to spark the target’s interest,” said Anton Cherepanov, malware researcher at Eset.
The attackers seem to be most interested in separatists and the self-declared governments in eastern Ukrainian war zones, but there have also been a large number of other targets, including Ukrainian government officials, Ukrainian politicians, Ukrainian journalists, international peace-keeping and monitoring organizations, and others, Lipovský wrote in a blog post.
While most campaigns used themes relating to the current Ukrainian geopolitical situation and the war in war in Donbass to lure the victims into opening the malicious attachment, the campaign in question displayed a pricelist of fishing groundbait instead.
“The choice of this decoy document we have so far been unable to explain,” said Lipovský.“As is usual with targeted attacks, attributing the source is tricky as conclusive evidence is difficult to find."
The research into the attacks showed the attackers are most likely operate from inside Ukraine.
“Whoever they are, it is probably fair to assume that this cyber-surveillance operation is politically motivated – but any further attempt at attribution would at this point be speculative,” said Lipovský.
“In addition to separatists, the targets of this campaign include Ukrainian government officials, politicians and journalists. The possibility of false flags must be considered too.”