The IT security researchers at CheckPoint cyber security firm headquartered in Israel and the US has revealed that the recent series of cyber crimes against oil (1), mining (2), construction, and energy sector organizations (3) were perpetrated by a young hacker and not any nation-state sponsored hacker group. It comes as a big surprise considering that the hacking campaign in which various high profile firms across the globe were targeted, were carried out by a lone hacker.
In its official blog post released on August 15th, CheckPoint stated that the hacker uses the motto “Get Rich or Die Trying” on social media. Moreover, the hacker is in his mid-20s and is a Nigerian national who used phishing and malware infection to compromise over 4,000 computers.
The huge scale of the attacks suggests that the hacker had access to extensive resources, but that is not the case. Despite having poor operational security, he was successful in hacking into the networks of 14 organizations, but that’s also the reason why researchers were able to detect and monitor his actions.
The hacker used a remote access Trojan called NetWire and a keylogger called Hawkeye to steal login details and financial information from targeted organizations. The RAT was used to gain control of infected systems while the keylogging program helped in stealing the login credentials.
It is worth noting that the attacks were directed towards the financial staff employed in different sectors and regions. For instance, the Middle East and Europe based energy and
transportation firms were attacked through phishing. The attacker sent an email that appeared to be sent by Saudi Aramco, a noteworthy oil, and gas firm. Email addresses from Yahoo domains were used, and the hacker didn’t even try to hide the addresses from being identified, which security experts’ claim was an amateurish act.
His targets included a transportation company in Abu Dhabi, an energy company in Croatia, Egypt based mining firm, Dubai based construction company, another construction firm in Germany and an oil & gas firm in Kuwait.
The campaign was launched in April 2017, but the activities of the hacker were identified after he had claimed several targets. A series of suspicious emails were detected, which were Phishing scams. The emails were pretty unconvincing as these contained spelling mistakes and generic subjects. The recipient was referred to as Sir or Ms. Recipient was asked to download an attachment, which asked for enabling macro and installed two different types of malware.
The name of the hacker hasn’t been revealed by CheckPoint but the company did acknowledge that he lives somewhere near the capital city in Nigeria. The security firm is helping local law enforcement for locating the cyber criminal.
The revelations point out a key factor that phishing still remains a major threat to businesses around the world; in this campaign, the hacker tricked the firm’s financial staff to give away bank details of the firm. Since Saudi Aramco is among the world’s top exporters of natural gas and crude oil, use of its name in the email was enough to attract the victim. Through his “crude and unsophisticated” phish campaign, the Nigerian hacker managed to make thousands of dollars but the exact figure hasn’t been disclosed as yet.
“Even though this individual is using low-quality phishing emails, and generic malware which is easy to find online, his campaign has still been able to infect several organizations. It shows just how easy it is for a relatively unskilled hacker to launch a large-scale campaign that successfully breaches the defenses of even large companies, enabling them to commit fraud,” said Horowitz.
Researchers urge that organizations need to educate employees regarding security etiquettes as they must remain cautious in opening emails even if these seem to be sent by legit companies or individuals.