Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Ukraine Separatists, Politicians Targeted in Surveillance Operation

Researchers at ESET have uncovered a cyber surveillance/espionage operation aimed at separatists, government officials, journalists and politicians in Ukraine.

Researchers at ESET have uncovered a cyber surveillance/espionage operation aimed at separatists, government officials, journalists and politicians in Ukraine.

The campaign, dubbed by the security firm Operation Groundbait, relies on a piece of malware dubbed Prikormka (the Russian word for “groundbait”). The malware, mostly seen in Ukraine, managed to go undetected since at least 2008.

The malware likely went unnoticed for several years due to low infection rates. ESET noticed the threat in 2015, when the number of infections rose to 178, a significant increase from the previous year when only 44 infections were spotted.

“The low detection ratio and ability to stay undetected for years is a common characteristic of targeted attacks (APTs). The investigation of campaigns and Prikormka activity has increased our confidence that this malware is used in targeted attacks,” ESET said in a report detailing Operation Groundbait.

The malware, designed to work on 32- and 64-bit Windows systems, uses over a dozen modules stored on the disk as DLL and EXE files to conduct various tasks. The Trojan is capable of stealing documents, logging keystrokes, grabbing screenshots, capturing audio from the microphone and Skype calls, and collecting saved passwords from applications.

In many cases, the attackers delivered the malware via spear-phishing emails carrying bait documents referencing the geopolitical situation in Ukraine and the armed conflict in the country’s Donbass region. The malware was dubbed Prikormka because in one of the attacks observed by the security firm, the threat displayed a pricelist for fishing groundbait.

“It’s the choice of this decoy document that we have so far been unable to explain,” said Robert Lipovský, senior malware researcher at ESET.

While a majority of infections have been found in Ukraine, the malware has also been detected in Russia. Researchers identified more than 80 unique campaign IDs, each associated with a number of decoy documents designed for a specific target.

The threat actor appears to have targeted individuals in the Ukrainian government, anti-government separatists in the Luhansk and Donetsk regions, and Ukraine’s nationalist political party Right Sector (Pravyi Sektor). Decoy documents analyzed by researchers also referenced religious topics, payment card fraud, and a job application written in Hungarian.

Evidence uncovered by ESET suggests that the attackers are conducting a politically-motivated operation from within Ukraine, which has led the security firm to classify it as cyber surveillance.

“Any further attempt at attribution would at this point be speculative. In addition to separatists, the targets of this campaign include Ukrainian government officials, politicians and journalists. The possibility of false flags must be considered too,” said Lipovský.

This is not the only APT campaign aimed at Ukraine. The country has been targeted in Operation Potato Express, by the Russia-linked threat group Pawn Storm (APT28, Sofacy), and by Sandworm Team or a related Russian operator with attacks on the country’s energy sector.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.