Waterbug hackers hijack rivals to launch cyber attacks

The group has continued its pattern of hacking government offices, harnessing unseen methods


The Waterbug cyber espionage group has continued to successfully attack government institutions across the globe with a refreshed toolkit and a novel method of malware distribution.

report by Symantec which surveilled the cyber group over a period of 18 months found that the group was using a new, previously unseen backdoor named 'Neptun' and also hijacked a rival espionage group's infrastructure which it used to launch other cyber attacks.

Advertisement - Article continues below

Since early 2018 Waterbug has successfully attacked 13 organisations across 10 different countries, most of which were government offices in different continents including Latin America, Middle East, Europe and South Asia.

One of the most notable extracts from the whole report was the hijacking of Crambus group's infrastructure to deliver malware to a victim's network, through what Symantec describes as a "hostile takeover".

The malware used by Waterbug was a "heavily modified" version of the widely-available hacking tool Mimikatz that appears to be unique to Waterbug. The malware was downloaded to the middle eastern victim's network using Crambus-controlled network infrastructure and a Powruner tool known to be tied to Crambus.

In the instance of the middle eastern victim, Crambus was the first to compromise the victim's network with the earliest evidence of the group's activity detected in 2017. Waterbug came along on 11 January 2018 and dropped a Waterbug-linked tool (a task scheduler named msfgi.exe) before downloading its modified Mimikatz variant to the same computer using a Crambus command and control (C&C) server the next day.

Advertisement - Article continues below
Advertisement - Article continues below

"The incident leaves many unanswered questions, chiefly relating to Waterbug's motive for using Crambus infrastructure," read the report. Symantec offered four possible explanations:

  • False flag tactics: Waterbug is known for using false flag tactics to throw researchers off their scent, but it begs the question of why it also used its own infrastructure to communicate with other machines on the victim's network.
  • Means of intrusion: It is possible that Waterbug wanted to compromise the target organization, found out that Crambus had already compromised its network, and hijacked Crambus's own infrastructure as a means of gaining access.
  • Mimikatz variant belonged to Crambus: There is a possibility that the version of Mimikatz downloaded by the Crambus infrastructure was actually developed by Crambus. However, the compilation technique and the fact that the only other occasion it was used was linked to Waterbug works against this hypothesis.
  • Opportunistic sowing of confusion: If a false flag operation wasn't planned from the start, it is possible that Waterbug discovered the Crambus intrusion while preparing its attack and opportunistically used it in the hopes of sowing some confusion in the mind of the victim or investigators.
Advertisement - Article continues below

"The organisations need to be on their toes and have to watch out for any weird behaviour in their networks," said Boris Cipot, senior security engineer at Synopsys. "Even if the signatures of the malware were found - and you should search for those in your network - there is no saying what is still out there and what could be lurking under the hood of this attack."

Waterbug's operations over the 18-month monitoring period were split into three separate campaigns, each characterised by their mode of attack, according to Symantec.

The first campaign involved a brand new backdoor called Neptun which is installed on Microsoft Exchange servers and passively listens for commands from attackers - its passive operation makes it more difficult to detect.

A second campaign used the Meterpreter backdoor which Waterbug has used since early 2018. This one was modified and given a .wav extension to hide its malicious purpose.

Advertisement - Article continues below

The third of a trio of backdoors characterises the third campaign. It used a different customised remote procedure call backdoor like Meterpreter which was formed using code from the PowerShellRunner tool to execute PowerShell scripts without having to use powershell.exe.

"This tool is designed to bypass detection aimed at identifying malicious PowerShell usage," said Symantec. "Prior to execution, the PowerShell scripts were stored Base64-encoded in the registry. This was probably done to avoid them being written to the file system."

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now



10 quick tips to identifying phishing emails

16 Mar 2020
mergers and acquisitions

Panda Security to be acquired by WatchGuard

9 Mar 2020
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

video conferencing

Zoom beams iOS user data to Facebook for targeted ads

27 Mar 2020
Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020

These are the companies offering free software during the coronavirus crisis

25 Mar 2020
Mobile Phones

Apple lifts iPhone purchase restrictions

23 Mar 2020