ESET researchers uncover an ongoing surveillance operation against separatists in Eastern Ukraine.
ESET® researchers have discovered malware that has eluded the attention of anti-malware researchers since at least 2008. Detected by ESET as Win32/Prikormka, the malware is being used to carry out cyber-espionage activities primarily targeting anti-government separatists in the self-declared Donetsk and Luhansk People's Republics.
“Along with the armed conflict in the East of Ukraine, the country has been encountering numerous targeted cyberattacks, or so-called advanced persistent threats. For example, we discovered several campaigns using the now infamous BlackEnergy malware family, one of which resulted in a massive power outage. But in Operation Groundbait, previously unknown malware is used,” notes Robert Lipovský, ESET Senior Malware Researcher.
The infection vector used to spread the malware in Operation Groundbait was mostly via spear-phishing emails.
“During our research, we have observed a large number of samples, each with its designated campaign ID and an appealing file name to spark the target’s interest,” explains Anton Cherepanov, Malware Researcher at ESET.
The whole operation has been named Groundbait, by ESET researchers, after one of its particular campaigns. While the majority of campaigns used themes related to the current Ukrainian geopolitical situation and the war in Donbass to lure the victims into opening the malicious attachment, the campaign in question displayed a pricelist of fishing Groundbait instead.
“It’s the choice of this decoy document that we have so far been unable to explain.” says Lipovský.
As is usual with targeted attacks, attributing the source is tricky as conclusive evidence is difficult to find. Our research into the attacks has shown that the attackers most likely operate from within Ukraine. Whoever they are, it is probably fair to assume that this cyber-surveillance operation is politically motivated.
“Any further attempt at attribution would at this point be speculative. In addition to separatists, the targets of this campaign include Ukrainian government officials, politicians and journalists. The possibility of false flags must be considered too,” concludes Robert Lipovský.
More details about Operation Groundbait campaigns and technical details of the malware used can be found in ESET’s comprehensive whitepaper. Indicators of Compromise (IOC) that can be used to identify an infection can also be found in the whitepaper or on GitHub.
Since 1987, ESET® has been developing award-winning security software that now helps over 100 million users to Enjoy Safer Technology. Its broad security product portfolio covers all popular platforms and provides businesses and consumers around the world with the perfect balance of performance and proactive protection. The company has a global sales network covering 180 countries, and regional offices in Bratislava, San Diego, Singapore and Buenos Aires. For more information visit www.eset.com or follow us on LinkedIn, Facebook and Twitter.