Phishing scam targets ... actual fishermen in eastern Ukraine
Hook, line and stinker
Security firm ESET has uncovered a long running cyber-espionage campaign in Ukraine, and seemingly targeted at separatists.
Operation Groundbait is a targeted attack most likely run from within Ukraine by as yet unidentified politically motivated hackers. The region is a hotspot for malware-based spying campaign thanks largely to the conflict between the Kiev government and rebels in the East who identify with Russia.
The majority of such campaigns feature booby-trapped content themed around the current Ukrainian geopolitical situation and the war in Donbass in order to trick marks into opening malicious attachments. The latest campaign, however, takes a completely different tack by displaying a pricelist of fishing groundbait instead, as explained in a blog post by ESET here.
The attackers are apparently targeting separatists and the self-declared governments in eastern Ukrainian war zones. A large number of other targets, including Ukrainian government officials, Ukrainian politicians, Ukrainian journalists, and others have also been affected, ESET reports.
Whether these secondary targets are been deliberately selected or represent collateral damage remains unclear.
ESET detects the malware associated with the attacks, which may have been going on since as long ago as 2008, as Prikormka. The attacks seem to have slipped under the radar for eight years but now that one anti-virus vendor has caught onto the campaign, widespread detection by other vendors can be expected to follows within days or weeks.
The long lag between attack and detection is lamentable but by no means uncommon when it comes to cyber-espionage motivated attacks which, by their very nature, are stealthy.
The security community in general is playing particularly close attention to malware-slinging in Ukraine after the BlackEnergy malware was linked to attacks that results in power outages last December. More than 200,000 people temporarily without power on December 23 as the result of attacks blamed on external hackers, a world first. Russia - unsurprisingly - is the prime suspect. ®