Connect with us

Hi, what are you looking for?


Malware & Threats

Ukraine Separatists, Politicians Targeted in Surveillance Operation

Researchers at ESET have uncovered a cyber surveillance/espionage operation aimed at separatists, government officials, journalists and politicians in Ukraine.

Researchers at ESET have uncovered a cyber surveillance/espionage operation aimed at separatists, government officials, journalists and politicians in Ukraine.

The campaign, dubbed by the security firm Operation Groundbait, relies on a piece of malware dubbed Prikormka (the Russian word for “groundbait”). The malware, mostly seen in Ukraine, managed to go undetected since at least 2008.

The malware likely went unnoticed for several years due to low infection rates. ESET noticed the threat in 2015, when the number of infections rose to 178, a significant increase from the previous year when only 44 infections were spotted.

“The low detection ratio and ability to stay undetected for years is a common characteristic of targeted attacks (APTs). The investigation of campaigns and Prikormka activity has increased our confidence that this malware is used in targeted attacks,” ESET said in a report detailing Operation Groundbait.

The malware, designed to work on 32- and 64-bit Windows systems, uses over a dozen modules stored on the disk as DLL and EXE files to conduct various tasks. The Trojan is capable of stealing documents, logging keystrokes, grabbing screenshots, capturing audio from the microphone and Skype calls, and collecting saved passwords from applications.

In many cases, the attackers delivered the malware via spear-phishing emails carrying bait documents referencing the geopolitical situation in Ukraine and the armed conflict in the country’s Donbass region. The malware was dubbed Prikormka because in one of the attacks observed by the security firm, the threat displayed a pricelist for fishing groundbait.

“It’s the choice of this decoy document that we have so far been unable to explain,” said Robert Lipovský, senior malware researcher at ESET.

While a majority of infections have been found in Ukraine, the malware has also been detected in Russia. Researchers identified more than 80 unique campaign IDs, each associated with a number of decoy documents designed for a specific target.

Advertisement. Scroll to continue reading.

The threat actor appears to have targeted individuals in the Ukrainian government, anti-government separatists in the Luhansk and Donetsk regions, and Ukraine’s nationalist political party Right Sector (Pravyi Sektor). Decoy documents analyzed by researchers also referenced religious topics, payment card fraud, and a job application written in Hungarian.

Evidence uncovered by ESET suggests that the attackers are conducting a politically-motivated operation from within Ukraine, which has led the security firm to classify it as cyber surveillance.

“Any further attempt at attribution would at this point be speculative. In addition to separatists, the targets of this campaign include Ukrainian government officials, politicians and journalists. The possibility of false flags must be considered too,” said Lipovský.

This is not the only APT campaign aimed at Ukraine. The country has been targeted in Operation Potato Express, by the Russia-linked threat group Pawn Storm (APT28, Sofacy), and by Sandworm Team or a related Russian operator with attacks on the country’s energy sector.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

Joe Levy has been appointed Sophos' permanent CEO, and Jim Dildine has been named the company's CFO.

CISA executive assistant director for cybersecurity Eric Goldstein is leaving the agency after more than three years.

More People On The Move

Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...


An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Cisco is warning of a zero-day vulnerability in Cisco ASA and FTD that can be exploited remotely, without authentication, in brute force attacks.