Waterbug hackers hijack rivals to launch cyber attacks

The group has continued its pattern of hacking government offices, harnessing unseen methods


The Waterbug cyber espionage group has continued to successfully attack government institutions across the globe with a refreshed toolkit and a novel method of malware distribution.

report by Symantec which surveilled the cyber group over a period of 18 months found that the group was using a new, previously unseen backdoor named 'Neptun' and also hijacked a rival espionage group's infrastructure which it used to launch other cyber attacks.

Since early 2018 Waterbug has successfully attacked 13 organisations across 10 different countries, most of which were government offices in different continents including Latin America, Middle East, Europe and South Asia.

One of the most notable extracts from the whole report was the hijacking of Crambus group's infrastructure to deliver malware to a victim's network, through what Symantec describes as a "hostile takeover".

The malware used by Waterbug was a "heavily modified" version of the widely-available hacking tool Mimikatz that appears to be unique to Waterbug. The malware was downloaded to the middle eastern victim's network using Crambus-controlled network infrastructure and a Powruner tool known to be tied to Crambus.

In the instance of the middle eastern victim, Crambus was the first to compromise the victim's network with the earliest evidence of the group's activity detected in 2017. Waterbug came along on 11 January 2018 and dropped a Waterbug-linked tool (a task scheduler named msfgi.exe) before downloading its modified Mimikatz variant to the same computer using a Crambus command and control (C&C) server the next day.

"The incident leaves many unanswered questions, chiefly relating to Waterbug's motive for using Crambus infrastructure," read the report. Symantec offered four possible explanations:

  • False flag tactics: Waterbug is known for using false flag tactics to throw researchers off their scent, but it begs the question of why it also used its own infrastructure to communicate with other machines on the victim's network.
  • Means of intrusion: It is possible that Waterbug wanted to compromise the target organization, found out that Crambus had already compromised its network, and hijacked Crambus's own infrastructure as a means of gaining access.
  • Mimikatz variant belonged to Crambus: There is a possibility that the version of Mimikatz downloaded by the Crambus infrastructure was actually developed by Crambus. However, the compilation technique and the fact that the only other occasion it was used was linked to Waterbug works against this hypothesis.
  • Opportunistic sowing of confusion: If a false flag operation wasn't planned from the start, it is possible that Waterbug discovered the Crambus intrusion while preparing its attack and opportunistically used it in the hopes of sowing some confusion in the mind of the victim or investigators.

"The organisations need to be on their toes and have to watch out for any weird behaviour in their networks," said Boris Cipot, senior security engineer at Synopsys. "Even if the signatures of the malware were found - and you should search for those in your network - there is no saying what is still out there and what could be lurking under the hood of this attack."

Waterbug's operations over the 18-month monitoring period were split into three separate campaigns, each characterised by their mode of attack, according to Symantec.

The first campaign involved a brand new backdoor called Neptun which is installed on Microsoft Exchange servers and passively listens for commands from attackers - its passive operation makes it more difficult to detect.

A second campaign used the Meterpreter backdoor which Waterbug has used since early 2018. This one was modified and given a .wav extension to hide its malicious purpose.

The third of a trio of backdoors characterises the third campaign. It used a different customised remote procedure call backdoor like Meterpreter which was formed using code from the PowerShellRunner tool to execute PowerShell scripts without having to use powershell.exe.

"This tool is designed to bypass detection aimed at identifying malicious PowerShell usage," said Symantec. "Prior to execution, the PowerShell scripts were stored Base64-encoded in the registry. This was probably done to avoid them being written to the file system."

Featured Resources

B2B under quarantine

Key B2C e-commerce features B2B need to adopt to survive

Download now

The top three IT pains of the new reality and how to solve them

Driving more resiliency with unified operations and service management

Download now

The five essentials from your endpoint security partner

Empower your MSP business to operate efficiently

Download now

How fashion retailers are redesigning their digital future

Fashion retail guide

Download now


Nigerian cyber criminals target Texas unemployment system
cyber security

Nigerian cyber criminals target Texas unemployment system

27 May 2021
Hackers use open source Microsoft dev platform to deliver trojans

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021

Most Popular

The benefits of workload optimisation

The benefits of workload optimisation

16 Jul 2021
RMIT to be first Australian university to implement AWS supercomputing facility
high-performance computing (HPC)

RMIT to be first Australian university to implement AWS supercomputing facility

28 Jul 2021
Samsung Galaxy S21 5G review: A rose-tinted experience
Mobile Phones

Samsung Galaxy S21 5G review: A rose-tinted experience

14 Jul 2021