Since March 2015, a well-organized cyber-crime syndicate has targeted more than 130 companies in over 30 countries, including Egypt, for the purpose of industrial espionage.
The vast majority of the victims are small to medium companies (30-300 employees) activating in the industrial sector.
According to cyber-security vendor Kaspersky Lab, the group, which they named Operation Ghoul, intensified operations during June 2016, and more specifically, between June 8 and 27.
“Attacks were aimed at companies in the industrial sector”
The majority of targeted companies activate in industrial sectors such as the petrochemical field, naval, military, aerospace, heavy machinery, solar energy, steel, pumps, and plastics.
Other activity sectors were also targeted, such as engineering, shipping, pharmaceutical, manufacturing, trading, education, tourism, IT, and more.
The group has shown a narrow focus on companies activating in the industrial sector, but not specific to one country. Attacks were scattered all over the globe, with the most recorded in Spain (25 incidents), Pakistan (22), the United Arab Emirates (19), India (17), Egypt (16), and more.
Other targeted countries include the UK, Germany, South Africa, Portugal, Qatar, Switzerland, Gibraltar, USA, Sweden, China, France, Azerbaijan, Iraq, Turkey, Romania, Iran, Iraq, and Italy.
“Crooks used the HawkEye RAT to infect high-ranking execs”
Ghoul hackers used the HawkEye RAT (Remote Access Trojan), also known as KeyBase, to carry out their attacks.
The crooks packed their RAT inside an EXE file, which they put inside a ZIP file and sent via spear-phishing emails to high-ranking persons in the targeted companies. Kaspersky says these emails were sent to CEOs, COOs, managers, engineers, supervisors, salespersons, and others.
“The spear phishing emails are mostly sent to senior members and executives of targeted organizations, most likely because the attackers hope to get access to core intelligence, controlling accounts and other interesting information,” Mohamad Amin Hasbini, Kaspersky Senior Security Researcher, said.
The RAT is one of the top remote access toolkits on the market and can steal clipboard data, keystrokes, license information from installed applications, and passwords from several apps such as browsers, FTP, and email clients.
For these attacks, HawkEye collected the data from targets and sent it via HTTP, unencrypted, to one of two servers. Kaspersky says these two servers belonged to two legitimate businesses that were compromised in the past.