Ukraine Separatists, Politicians Targeted in Surveillance Operation

Researchers at ESET have uncovered a cyber surveillance/espionage operation aimed at separatists, government officials, journalists and politicians in Ukraine.

The campaign, dubbed by the security firm Operation Groundbait, relies on a piece of malware dubbed Prikormka (the Russian word for “groundbait”). The malware, mostly seen in Ukraine, managed to go undetected since at least 2008.

The malware likely went unnoticed for several years due to low infection rates. ESET noticed the threat in 2015, when the number of infections rose to 178, a significant increase from the previous year when only 44 infections were spotted.

“The low detection ratio and ability to stay undetected for years is a common characteristic of targeted attacks (APTs). The investigation of campaigns and Prikormka activity has increased our confidence that this malware is used in targeted attacks,” ESET said in a report detailing Operation Groundbait.

The malware, designed to work on 32- and 64-bit Windows systems, uses over a dozen modules stored on the disk as DLL and EXE files to conduct various tasks. The Trojan is capable of stealing documents, logging keystrokes, grabbing screenshots, capturing audio from the microphone and Skype calls, and collecting saved passwords from applications.

In many cases, the attackers delivered the malware via spear-phishing emails carrying bait documents referencing the geopolitical situation in Ukraine and the armed conflict in the country’s Donbass region. The malware was dubbed Prikormka because in one of the attacks observed by the security firm, the threat displayed a pricelist for fishing groundbait.

“It’s the choice of this decoy document that we have so far been unable to explain,” said Robert Lipovský, senior malware researcher at ESET.

While a majority of infections have been found in Ukraine, the malware has also been detected in Russia. Researchers identified more than 80 unique campaign IDs, each associated with a number of decoy documents designed for a specific target.

The threat actor appears to have targeted individuals in the Ukrainian government, anti-government separatists in the Luhansk and Donetsk regions, and Ukraine’s nationalist political party Right Sector (Pravyi Sektor). Decoy documents analyzed by researchers also referenced religious topics, payment card fraud, and a job application written in Hungarian.

Evidence uncovered by ESET suggests that the attackers are conducting a politically-motivated operation from within Ukraine, which has led the security firm to classify it as cyber surveillance.

“Any further attempt at attribution would at this point be speculative. In addition to separatists, the targets of this campaign include Ukrainian government officials, politicians and journalists. The possibility of false flags must be considered too,” said Lipovský.

This is not the only APT campaign aimed at Ukraine. The country has been targeted in Operation Potato Express, by the Russia-linked threat group Pawn Storm (APT28, Sofacy), and by Sandworm Team or a related Russian operator with attacks on the country’s energy sector.