18.5.16

Operation Groundbait: Espionage in Ukrainian war zones


By Robert Lipovsky in cooperation with Anton Cherepanov

In addition to the armed conflict in eastern Ukraine, in recent years the country has been facing a significantly higher number of targeted cyberattacks, or so-called advanced persistent threats (APTs).
After BlackEnergy, which has, most infamously, facilitated attacks that resulted in power outages for hundreds of thousands of Ukrainian civilians, and Operation Potao Express, where attackers went after sensitive TrueCrypt-protected data from high value targets, ESET researchers have uncovered another cyberespionage operation in Ukraine: Operation Groundbait.
Cyber-surveillance focusing on separatists
The main point that sets Operation Groundbait apart from the other attacks is that it has mostly been targeting anti-government separatists in the self-declared Donetsk and Luhansk People’s Republics.
While the attackers seem to be more interested in separatists and the self-declared governments in eastern Ukrainian war zones, there have also been a large number of other targets, including, among others, Ukrainian government officials, politicians and journalists..
Groundbait?
These cyberespionage activities have been carried out using a malware family that ESET detects as Win32/Prikormka. The malware has until now eluded the attention of anti-malware researchers since at least 2008.
The infection vector for spreading the malware was mostly through spear-phishing emails (which is somewhat the norm for targeted attacks). During our research, we have observed a large number of samples, each with its designated campaign ID, an appealing file name to spark the target’s interest, and decoy documents with various themes related to the current Ukrainian geopolitical situation and the war in Donbass.
We chose the name Groundbait – the translation of the Russian word Prikormka (Прикормка) – because of a puzzling theme used in one campaign that stood out among the others, which used themes related to the armed conflict. The malware file name was prikormka.exe and it displayed a pricelist of fishing groundbait, a choice of decoy document that we have so far been unable to explain.

From a technical perspective, the malware features a modular architecture, allowing the attackers to expand its functionality and steal various types of sensitive information and files from the cyber-surveillance targets.
Further technical details of the malware, as well as additional information on the ongoing cyberespionage operation, can be found in our comprehensive whitepaper.
So who’s behind it?
As is usual in the world of cybercrime and APTs, attributing the source of the attack is tricky as conclusive evidence is difficult to find. Our research into the attacks has shown that the attackers most likely operate from within Ukraine.
Whoever they are, based on the types of targets chosen – mostly separatists in the self-declared Donetsk and Luhansk People’s Republics – it is probably fair to assume that this cyber-surveillance operation is politically motivated.
Apart from that, any further attempt at attribution would at this point be speculative. It is important to note that in addition to separatists, the targets of this campaign include Ukrainian government officials, politicians and journalists. The possibility of false flags must be considered too.
Our comprehensive whitepaper includes more information on the Operation Groundbait campaigns and technical details of the Prikormka malware. Indicators of Compromise (IOC) that can be used to identify an infection can also be found in the whitepaper or on github.

For any inquiries, or to make sample submissions related to the subject, contact us at: threatintel@eset.com