Check point identifies nigerian as behind massive global cyber attacks

Check Point’s researchers have revealed the identity of a cyber criminal who attacked more than 4 000 organisations over the past four months.The Israeli-based cyber security firm says the cyber attacks aimed to infect organisations’ networks, steal data and commit fraud.

Many of these companies are leading international names in industries such as oil and gas, manufacturing, banking and construction industries – and some have had their defences breached by the attacks.

Companies that Check Point researchers confirmed were infected during the campaign include a marine and energy solutions company in Croatia, a transportation company in Abu Dhabi, a mining company in Egypt, a construction company in Dubai, an oil and gas firm in Kuwait, and a construction organisation in Germany.

According to Check Point, successful attacks on this scale are usually attributed to expert gangs of cyber criminals – often backed by a nation state, with the aim of destabilising economies.

However, following extensive research into the campaign, Check Point researchers discovered the attacker is a Nigerian national, working on his own. On his social media accounts, he uses the motto: “get rich or die trying”, the firm says.

His attack campaign uses fraudulent e-mails which appear to originate from oil and gas giant Saudi Aramco, the world’s second largest daily oil producer, targeting financial staff within companies to trick them into revealing company bank details, or open the e-mail’s malware-infected attachment.

The malware used is NetWire, a remote access Trojan which allows full control over infected machines, and Hawkeye, a key-logging program. The campaign has resulted in 14 successful infections, earning the criminal thousands of dollars in the process, says Check Point.

“It’s particularly striking that his techniques display a low level of cyber skills. His fraudulent e-mails are crude and unsophisticated; there is almost no research or social engineering involved in creating them,” says Doros Hadjizenonos, Check Point SA’s country manager.

“The titles of the e-mails are generic, and phrased as ‘Dear Sir/Ms.’ The same mail is sent to numerous targets, all in blind carbon copy, urging victims to send back banking details, perhaps for future scams. The attacks were launched from the e-mail addresses sale.cement_till_tw@yahoo.com, and cciticarinternational@yahoo.com,” he adds.

“What’s more, the malware he uses is old, generic and readily available online; and he uses freeware to ‘scrape’ e-mail addresses from corporate Web sites which he then uses as targets for his campaigns.”

Check Point believes the fact that the campaign was still effective, despite using only basic cyber criminal techniques, shows just how much of a problem these business e-mail compromise attacks have become.

This highlights the need for all organisations to improve their security to protect against phishing and business e-mail compromise scams, and to educate their employees to be cautious about opening e-mails, even from companies or individuals that they recognise, it urges.

Since uncovering the campaign and establishing its origins, Check Point’s research team has notified law enforcement authorities in Nigeria and internationally, and shared its findings with them.