A recent phishing and malware campaign looked like the work of a cybercriminal gang — but researchers have tracked it back to a lone attacker in Nigeria.
An international hacking campaign targeting thousands of oil, mining and construction firms sounds like the work of a sophisticated criminal operation. The scale of such an endeavour suggests it would need extensive resources and manpower, potentially even nation-state backing.
But a newly uncovered cyberattack that targeted more than 4,000 organisations in the oil and gas, mining, construction, and transportation sectors has been found to have been carried out by a 20-year-old man in Nigeria.
The lone attacker successfully hacked into the networks of at least 14 organisations, including a marine and energy company in Croatia, a transportation company in Abu Dhabi, a mining company in Egypt, a construction company in Dubai, an oil and gas firm in Kuwait, and a construction organisation in Germany.
Using a remote access Trojan and a keylogger, the attacker stole login credentials and financial information from these companies.
The fact that attacks were targeted at financial staff working in specific regions and sectors — energy and transportation firms in Europe and the Middle East — and the use of a phishing email lure claiming to be from oil and gas giant Saudi Aramco, initially led researchers to believe the campaign was the work of a well-organised group.
But researchers at Check Point investigating the attack found this wasn’t the case.
“We realised this was just one person, because of the technical analysis of the malware and the C&C communications, we realised it was a criminal, not a nation state conducting espionage,” Maya Horowitz, head of research for Check Point, told ZDNet.
And unlike professional hacking gangs, the culprit has very poor operational security, allowing researchers to identify him and monitor his actions.
“You can see holes in the phishing emails themselves and there are holes all over the infrastructure,” Horowitz said.
Put simply, the phishing emails are crude and unconvincing, with spelling errors, generic subjects and the target referred to as ‘Sir/Ms’. The mass-mailed messages ask users to download an attachment, which asks for macros to be enabled then installs two forms of malware — both of which are freely available on the web.
Victims end up infected with Netwire, a remote access Trojan that allows the attacker to gain full control of infected machines, and Hawkeye, a commercially available form of keylogging software. While both forms of malware are relatively simple, they’ve enabled the attacker to steal banking and other credentials, and earn thousands by stealing from accounts and selling on credentials.
While they’ve managed to infiltrate a number of large organizations, the perpetrator is far from a cybercriminal mastermind. Indeed, he has not even made much of an effort to cover his tracks and has even discussed his actions on Facebook.
“He’s not very techie, but he’s on a Facebook group of several Nigerian hackers where they exchange tactics and techniques,” said Horowitz.
Attacks using phishing to infect machines with malware are gaining in popularity, she added, and are replacing the infamous 419 scams of old. “The same people who ten years ago were only able to send Nigerian Prince scams today they can just rent malware and send it to whoever,” said Horowitz.
“It’s the same people, with the same technical skills, but now this whole market works more like a business where you can just buy or rent your tools online as malware-as-as-service. In this case it’s not even on the dark web, it’s just on the internet,” she added.
The increasingly availability of malware-as-a-service — or freeware such as Netwire and Hawkeye — means it’s easier than ever for budding cybercriminals to get in on the action. However, in many cases, the attacker doesn’t have the knowledge to take the necessary steps to hide themselves.
In the case of this individual, Check Point has shared its findings with Nigerian police and international agencies in order to stop future attacks and arrest the culprit.
Those organisations that have already fallen victim to the attacks will need to take extra security precautions, because it’s likely log-in credentials and other sensitive information have been sold on to criminals who could use them to perform further attacks.
Ultimately, the phishing emails used in this attack were very basic but nonetheless fooled employees in the target organisations. Horowitz stressed the importance of companies making employees aware what these emails look like and the threats they pose.
“These attacks can be prevented, nobody has to be infected with this malware,” said Horowitz.
“Fourteen organisations were hit but there’s no reason they should have, because with proper security measures and — more importantly — education and awareness, these emails shouldn’t have got into the systems.”