This cyber-espionage operation in Ukraine, called Operation Groundbait, is being used primarily to target anti-government separatists in the self-declared Donetsk and Luhansk People’s Republics.
The discovery of Operation Groundbait follows previous research by ESET on BlackEnergy, which has, most infamously, facilitated attacks that resulted in power outages for hundreds of thousands of Ukrainian civilians, and Operation Potao Express, where attackers went after sensitive TrueCrypt-protected data from high value targets.
“Appendix – Decoy document screenshot”
About Operation Groundbait
Operation Groundbait’s key differentiator is that it has mostly been targeting anti-government separatists in the self-declared Donetsk and Luhansk People’s Republics.
While the attackers seem to be most interested in separatists and the self-declared governments in eastern Ukrainian war zones, there have also been a large number of other targets, including Ukrainian government officials, Ukrainian politicians, Ukrainian journalists, and others.
The cyber-espionage activities have been carried out using a malware family that ESET detects as Win32/Prikormka. The malware has gone undetected by anti-malware researchers since at least 2008.
The malware was spread mostly through spear-phishing emails, which is relatively common for targeted attacks. ESET’s researchers observed a large number of samples, each with its designated campaign ID, an attractive file name to spark the target’s interest, and decoy documents with various themes related to the current Ukrainian geopolitical situation and the war in Donbass.
More information about this malware and how to protect yourself from it can be found on the WeLiveSecurity blog.
Commentary from ESET Senior Malware Researcher Robert Lipovský
“Along with the armed conflict in the East of Ukraine, the country has been encountering numerous targeted cyberattacks, or so-called advanced persistent threats. For example, we discovered several campaigns using the now infamous BlackEnergy malware family, one of which resulted in a massive power outage. But in Operation Groundbait, previously unknown malware is used.”
“It’s the choice of this decoy document that we have so far been unable to explain.”
