ESET researchers uncover an ongoing surveillance operation against separatists in Eastern Ukraine.
ESET® researchers have discovered malware that has eluded the attention of anti-malware researchers since at least 2008. Detected by ESET as Win32/Prikormka, the malware is being used to carry out cyber-espionage activities primarily targeting anti-government separatists in the self-declared Donetsk and Luhansk People's Republics. The operation has been named Operation Groundbait, by ESET researchers.“Along with the armed conflict in the East of Ukraine, the country has been encountering numerous targeted cyberattacks, or so-called advanced persistent threats,” said ESET Senior Malware Researcher Robert Lipovský. “For example, we discovered several campaigns using the now infamous BlackEnergy malware family, one of which resulted in a massive power outage. But in Operation Groundbait, previously unknown malware is used.The infection vector used to spread the malware in Operation Groundbait was mostly via spear-phishing emails. “During our research, we have observed a large number of samples, each with its designated campaign ID and an appealing file name to spark the target’s interest,” explains ESET Malware Researcher Anton Cherepanov.While the majority of campaigns used themes related to the current Ukrainian geopolitical situation and the war in Donbass to lure the victims into opening the malicious attachments, one of the campaigns in question displayed a pricelist of fishing Groundbait instead, giving the campaign its name.“It’s the choice of this decoy document that we have so far been unable to explain,” says Lipovský. As is usual with targeted attacks, attributing the source is tricky as conclusive evidence is difficult to find. Our research into the attacks has shown that the attackers most likely operate from within Ukraine. Whoever they are, it is probably fair to assume that this cyber-surveillance operation is politically motivated. “Any further attempt at attribution would at this point be speculative,” notes Lipovský. “In addition to separatists, the targets of this campaign include Ukrainian government officials, politicians and journalists. The possibility of false flags must be considered too.” More details about Operation Groundbait campaigns and technical details of the malware used can be found in ESET’s comprehensive whitepaper. Indicators of Compromise (IOC) that can be used to identify an infection can also be found in the whitepaper or on GitHub. About ESETSince 1987, ESET® has been developing award-winning security software that now helps over 100 million users to Enjoy Safer Technology. Its broad security product portfolio covers all popular platforms and provides businesses and consumers around the world with the perfect balance of performance and proactive protection. The company has a global sales network covering 180 countries, and regional offices in Bratislava, San Diego, Singapore and Buenos Aires. For more information visit www.eset.com or follow us on LinkedIn, Facebook and Twitter.