Operation Ghoul: Learning from the targeted attack analysis to protect your business

Kaspersky Lab’s security experts released a detailed report on Operation Ghoul – a targeted campaign aimed primarily at businesses in the Middle East and Europe.

Today Kaspersky Lab’s security experts released a detailed report on Operation Ghoul – a targeted campaign aimed primarily at businesses in the Middle East, although a notable number of attacked businesses apparently reside in Europe. You can read the detailed investigation report here at Securelist. In this blog post we will evaluate the most notable specifics of the campaign and describe remediation approaches that will help business protect themselves from similar attacks.

Evaluating the threat level

Unlike most ‘newsworthy’ threats such as The Equation or the recent ProjectSauron, the Ghoul campaign does not appear to be very sophisticated. For example, this attack used a single command and control server, likely hosted on someone’s compromised machine. This doesn’t mean that the attack is not dangerous. For initial infection it uses spear-phishing – an e-mail with a malicious attachment that is disguised as regular corporate communications. Untrained employees often fall victim to such tricks. The malicious payload collects a wide range of private information, from passwords via keylogging, to personal and corporate account data. The loss of such information leads to a lot of trouble.

The good news is attacks like Ghoul can be effectively blocked, and in the case of a breach – quickly remediated, if a proper security strategy is in place in the company affected. While prevention methods (like an efficient endpoint security solutions) play the most important role here, they are not the only solutions recommended to enhance protection from attacks like Ghoul. In fact, protection should kick in before the poisonous e-mail reaches your employee.

Mail Security

Security solutions for protecting e-mail traffic are often associated with anti-spam functionality. Technically however, spear-phishing is not spam: targeted campaigns do not always resort to sending malicious e-mails in bulk. But a proper security solution like Kaspersky Security for Mail Server is likely to raise a red flag and block an attachment, if it is an archive with unknown and suspicious executable contents. Stopping an attack before it even starts is, thus, worth the investment.

Endpoint Security

The Ghoul masterminds use conventional methods of cyberespionage that have been known for years: keylogging, accessing data from web browsers, chat and FTP clients, etc. An efficient endpoint security solution like Kaspersky Endpoint Security for Business is capable of stopping the attack at many stages, using different technologies. Besides the malicious attachment, Ghoul uses the traditional phishing methods – redirecting employees to web pages that resemble real corporate or public resources. This can be blocked by a Web Security module. Traditional security methods and proactive technologies are capable of stopping the initial infection, and intelligent modules like System Watcher may spot and block attempts to access data from installed software, which is definitely a suspicious activity.

Security Intelligence

A new way to reduce the chances of becoming a victim of a targeted operation is to use vendor-sourced security intelligence to block an attack at once or detect an active breach. The report from Kaspersky Lab’s experts features indicators of compromise: information about IP addresses, domains and malicious files used by a particular campaign. Information about many other attacks is shared with our enterprise customers in an actionable form, so it can be fed to a SIEM system. This gives our clients an extra layer of protection from targeted operations. More information on APT Intelligence Reporting can be found here.

Industry-specific security

One striking specific of operation Ghoul is that it targets mostly industrial and engineering organisations. Although the attack does not have any modules to attack industrial infrastructure, the information obtained during the espionage phase can be subsequently used for these purposes. This brings us to the topic of specialized security for IT systems used to operate industrial facilities and critical infrastructure. Such solutions should be capable of blocking a traditional attack like Ghoul, but they should also identify attempts to compromise specialized industrial software and hardware. Such a solution has been included in Kaspersky Lab’s portfolio recently. You can read more about Kaspersky Industrial Cybersecurity here.


The Ghoul campaign is a dangerous targeted attack, but based on the examples from our portfolio we have shown that it can be blocked using existing technologies. Effective deployment of these technologies is what matters. And the key takeaway from this research is that different security methods have to be implemented in a multi-layered fashion. Then, combined, they significantly reduce the chances of a successful attack. They make it much more expensive for threat actors to reach your data.