Companies around the world have been spied on via Operation Ghoul. Kaspersky assumes that the attackers are still active.

© Kaspersky Lab

The cybercriminals' intended "prey" is confidential company data, which they then sell on the black market. The main motive of the operation called 'Ghoul' is financial profit. Kaspersky Lab assumes that the attackers behind it are still active. So far, over 130 organizations in 30 countries have been attacked - including companies from Germany, Spain, Pakistan, India, the UK, Egypt, the United Arab Emirates and Saudi Arabia.

Procedure of Operation 'Ghoul'

In June 2016, experts from the security company Kaspersky Lab identified a series of spear phishing emails with malicious attachments. These emails primarily reached managers in senior and middle positions. They appeared to originate from a bank in the United Arab Emirates and contained a SWIFT document in the attachment - actually a standardized data format for the exchange of messages between credit institutions, stock exchanges and securities warehouses or large companies in other industries. In this case, it was an attachment that actually contained malware.

According to Kaspersky, this malware is based on the commercial 'HawkEye' spyware, which is sold on the Darknet and contains various tools for cyber criminals. After installation or infection, the following data is collected from the victim's computer:

• Keystrokes
• Data from the cache
• FTP server login information
• Account data from Internet browsers
• Account data from messengers
• Account data from e-mail programs
• Information about installed applications such as Microsoft Office

This data is sent to the command and control servers of those behind the attacks. According to Kaspersky's research, the majority of victims come from the industrial and engineering sectors. Other organizations attacked are in the areas of transport, pharmaceuticals, production, trade and education.

Name definition of 'Ghoul'

"In ancient folklore, the ghoul is an evil mythical creature that eats human flesh and preys on children. Originally it was a demon from Mesopotamia. Nowadays, this term is also used for greedy or materialistic people," explains Mohammad Amin Hasbini, security expert at Kaspersky Lab. "This is a fairly accurate description of the group behind Operation Ghoul. Their main motive is financial profit, either through the sale of stolen intellectual property and 'business intelligence' or by attacking bank accounts. Unlike state-sponsored actors who carefully select their targets, any company could fall victim to this group," Hasbini continues. Even though the group uses fairly simple malicious tools, their attacks are very effective.

Recommended safety tips

The security company Kaspersky advises employees to undergo training to be able to distinguish spear phishing emails or phishing links from genuine emails and links. In addition, IT security solutions for companies should be combined with special solutions such as 'Kaspersky Anti Targeted Attack Platform'. This allows attacks to be detected by analyzing network anomalies. Another point is that IT security staff should have access to the latest information on cyber threats in order to prevent and detect targeted attacks.