Hackers Target Industrial Companies
Friday, August 19, 2016 @ 02:08 PM gHale
Industrial companies beware: Over 130 firms in more than 30 countries ended up targeted for espionage, researchers said.
The vast majority of the victims are small to medium companies (30-300 employees) in the industrial sector.
This cyber espionage group, called Operation Ghoul, started up in March, but really intensified operations between June 8 and 27, said researchers at Kaspersky Lab.
The majority of targeted companies are in industrial sectors such as petrochemical, naval, military, aerospace, heavy machinery, solar energy, steel, pumps, and plastics.
Other activity sectors also ended up targeted, such as engineering, shipping, pharmaceutical, manufacturing, trading, education, tourism, IT, and more.
The group has shown a narrow focus on companies activating in the industrial sector, but not specific to one country. Attacks scattered all over the globe, with the most recorded in Spain (25 incidents), Pakistan (22), the United Arab Emirates (19), India (17), Egypt (16), among others.
Other targeted countries include the UK, Germany, South Africa, Portugal, Qatar, Switzerland, Gibraltar, U.S., Sweden, China, France, Azerbaijan, Iraq, Turkey, Romania, Iran, Iraq, and Italy.
Ghoul hackers used the HawkEye spyware to carry out their attacks.
Attackers placed their spyware inside an EXE file, which they put inside a ZIP file and sent via spear-phishing emails to high-ranking persons in the targeted companies. Kaspersky said these emails went out to chief executives, COOs, managers, engineers, supervisors, salespersons, and others.
“The spear phishing emails are mostly sent to senior members and executives of targeted organizations, most likely because the attackers hope to get access to core intelligence, controlling accounts and other interesting information,” said Mohamad Amin Hasbini, Kaspersky senior security researcher.
The HawkEye spyware can steal clipboard data, keystrokes, license information from installed applications, and passwords from several apps such as browsers, FTP, and email clients.
For these attacks, HawkEye collected the data from targets and sent it via HTTP, unencrypted, to one of two servers. Kaspersky said these two servers belonged to two legitimate businesses that ended up compromised in the past.