Waterbug hackers hijack rivals to launch cyber attacks

The group has continued its pattern of hacking government offices, harnessing unseen methods


The Waterbug cyber espionage group has continued to successfully attack government institutions across the globe with a refreshed toolkit and a novel method of malware distribution.

report by Symantec which surveilled the cyber group over a period of 18 months found that the group was using a new, previously unseen backdoor named 'Neptun' and also hijacked a rival espionage group's infrastructure which it used to launch other cyber attacks.

Since early 2018 Waterbug has successfully attacked 13 organisations across 10 different countries, most of which were government offices in different continents including Latin America, Middle East, Europe and South Asia.

One of the most notable extracts from the whole report was the hijacking of Crambus group's infrastructure to deliver malware to a victim's network, through what Symantec describes as a "hostile takeover".

Advertisement - Article continues below

The malware used by Waterbug was a "heavily modified" version of the widely-available hacking tool Mimikatz that appears to be unique to Waterbug. The malware was downloaded to the middle eastern victim's network using Crambus-controlled network infrastructure and a Powruner tool known to be tied to Crambus.

In the instance of the middle eastern victim, Crambus was the first to compromise the victim's network with the earliest evidence of the group's activity detected in 2017. Waterbug came along on 11 January 2018 and dropped a Waterbug-linked tool (a task scheduler named msfgi.exe) before downloading its modified Mimikatz variant to the same computer using a Crambus command and control (C&C) server the next day.

"The incident leaves many unanswered questions, chiefly relating to Waterbug's motive for using Crambus infrastructure," read the report. Symantec offered four possible explanations:

  • False flag tactics: Waterbug is known for using false flag tactics to throw researchers off their scent, but it begs the question of why it also used its own infrastructure to communicate with other machines on the victim's network.
  • Means of intrusion: It is possible that Waterbug wanted to compromise the target organization, found out that Crambus had already compromised its network, and hijacked Crambus's own infrastructure as a means of gaining access.
  • Mimikatz variant belonged to Crambus: There is a possibility that the version of Mimikatz downloaded by the Crambus infrastructure was actually developed by Crambus. However, the compilation technique and the fact that the only other occasion it was used was linked to Waterbug works against this hypothesis.
  • Opportunistic sowing of confusion: If a false flag operation wasn't planned from the start, it is possible that Waterbug discovered the Crambus intrusion while preparing its attack and opportunistically used it in the hopes of sowing some confusion in the mind of the victim or investigators.

"The organisations need to be on their toes and have to watch out for any weird behaviour in their networks," said Boris Cipot, senior security engineer at Synopsys. "Even if the signatures of the malware were found - and you should search for those in your network - there is no saying what is still out there and what could be lurking under the hood of this attack."

Waterbug's operations over the 18-month monitoring period were split into three separate campaigns, each characterised by their mode of attack, according to Symantec.

The first campaign involved a brand new backdoor called Neptun which is installed on Microsoft Exchange servers and passively listens for commands from attackers - its passive operation makes it more difficult to detect.

A second campaign used the Meterpreter backdoor which Waterbug has used since early 2018. This one was modified and given a .wav extension to hide its malicious purpose.

The third of a trio of backdoors characterises the third campaign. It used a different customised remote procedure call backdoor like Meterpreter which was formed using code from the PowerShellRunner tool to execute PowerShell scripts without having to use powershell.exe.

"This tool is designed to bypass detection aimed at identifying malicious PowerShell usage," said Symantec. "Prior to execution, the PowerShell scripts were stored Base64-encoded in the registry. This was probably done to avoid them being written to the file system."

Featured Resources

Application security fallacies and realities

Web application attacks are the most common vulnerability, so what is the truth about application security?

Download now

Your first step researching Managed File Transfer

Advice and expertise on researching the right MFT solution for your business

Download now

The KPIs you should be measuring

How MSPs can measure performance and evaluate their relationships with clients

Download now

Life in the digital workspace

A guide to technology and the changing concept of workspace

Download now



Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

digital transformation

Boston Dynamics dog-like robots sniff out bombs for Massachusetts police

26 Nov 2019
mergers and acquisitions

Xerox threatens hostile takeover after HP rebuffs $30bn takeover

22 Nov 2019
data breaches

T-Mobile data breach affects more than a million users

25 Nov 2019
Google Android

Samsung Galaxy A90 5G review: Simply the best value 5G phone

22 Nov 2019