lolloj - Fotolia

Cyber espionage campaign targets Ukraine separatists

Security researchers discover a surveillance operation against separatists in Eastern Ukraine using spear phishing attacks to spread previously unknown malware

Researchers at security firm Eset have uncovered an ongoing surveillance operation against separatists in Eastern Ukraine using previously unknown malware.

Detected as Win32/Prikormka, the malware has eluded the attention of antimalware researchers since at least 2008. It has been carrying out cyber-espionage activities primarily targeting anti-government separatists in the self-declared Donetsk and Luhansk People's Republics.

The malware features a modular architecture, allowing attackers to expand its functionality and steal various types of sensitive information and files from the cyber-surveillance targets, the researchers said.

Further technical details of the malware, as well as additional information on the ongoing cyberespionage operation, can be found in Eset’s comprehensive whitepaper.

“Along with the armed conflict in the east of Ukraine, the country has been encountering numerous targeted cyberattacks, or so-called advanced persistent threats,” said Robert Lipovský, senior malware researcher at Eset.

“For example, we discovered several campaigns using the now-infamous BlackEnergy malware family, one of which resulted in a massive power outage. But in the survellance operation, previously unknown malware is used,” he said.  

Read more about cyber espionage

Phishing email shares a joke

The infection vector used to spread the malware in surveillance operation, dubbed Operation Groundbait, was mostly via spear phishing emails.

“During our research, we observed a large number of samples, each with its designated campaign ID and an appealing file name to spark the target’s interest,” said Anton Cherepanov, malware researcher at Eset.

The attackers seem to be most interested in separatists and the self-declared governments in eastern Ukrainian war zones, but there have also been a large number of other targets, including Ukrainian government officials, Ukrainian politicians, Ukrainian journalists, international peace-keeping and monitoring organizations, and others, Lipovský wrote in a blog post.

While most campaigns used themes relating to the current Ukrainian geopolitical situation and the war in war in Donbass to lure the victims into opening the malicious attachment, the campaign in question displayed a pricelist of fishing groundbait instead.

“The choice of this decoy document we have so far been unable to explain, said Lipovský.“As is usual with targeted attacks, attributing the source is tricky as conclusive evidence is difficult to find."

The research into the attacks showed the attackers are most likely operate from inside Ukraine.

“Whoever they are, it is probably fair to assume that this cyber-surveillance operation is politically motivated – but any further attempt at attribution would at this point be speculative,” said Lipovský.

“In addition to separatists, the targets of this campaign include Ukrainian government officials, politicians and journalists. The possibility of false flags must be considered too.”

Read more on Hackers and cybercrime prevention

Data Center
Data Management