Operation Ghoul: Industrial and engineering firms under attack

Security researchers from Kaspersky Lab have warned of a new cyber-attack project which they named Operation Ghoul.

Conducted by a group of hackers, it targets organisations in the industrial and engineering sectors in more than 30 countries and aims to extract as much data as possible.

The data is then sold on the black market, and Kaspersky Lab says financial gain is the main motive behind the operation.

More than 130 companies have been targeted, in countries such as Spain, Pakistan, United Arab Emirates, India, Egypt, United Kingdom, Germany and Saudi Arabia.

The group was first spotted in March 2015, and this June attack seems to be its newest. Security researchers say it starts the usual way – through spear-phishing with malicious attachments. The attackers pose as a bank, giving payment advice and attaching a SWIFT document.

The document is in fact, malware.

This malware is based on HawkEye and collects keystrokes, clipboard data, FTP server credentials, browser account data, messaging clients data, email clients data, and Microsoft Office data.

“In ancient Folklore, the Ghoul is an evil spirit associated with consuming human flesh and hunting kids, originally a Mesopotamian demon. Today, the term is sometimes used to describe a greedy or materialistic individual,” said Mohammad Amin Hasbini, security expert at Kaspersky Lab.

“This is quite a precise description of the group behind Operation Ghoul. Their main motivation is financial gain resulting either from sales of stolen intellectual property and business intelligence, or from attacks on their victim’s banking accounts. Unlike state-sponsored actors, which choose targets carefully, this group and similar groups might attack any company. Even though they use rather simple malicious tools, they are very effective in their attacks. Thus companies that are not prepared to spot the attacks, will sadly suffer.”

Image source: Shutterstock/Gunnar Assmy