Waterbug hackers hijack rivals to launch cyber attacks

The group has continued its pattern of hacking government offices, harnessing unseen methods


The Waterbug cyber espionage group has continued to successfully attack government institutions across the globe with a refreshed toolkit and a novel method of malware distribution.

report by Symantec which surveilled the cyber group over a period of 18 months found that the group was using a new, previously unseen backdoor named 'Neptun' and also hijacked a rival espionage group's infrastructure which it used to launch other cyber attacks.

Advertisement - Article continues below

Since early 2018 Waterbug has successfully attacked 13 organisations across 10 different countries, most of which were government offices in different continents including Latin America, Middle East, Europe and South Asia.

One of the most notable extracts from the whole report was the hijacking of Crambus group's infrastructure to deliver malware to a victim's network, through what Symantec describes as a "hostile takeover".

The malware used by Waterbug was a "heavily modified" version of the widely-available hacking tool Mimikatz that appears to be unique to Waterbug. The malware was downloaded to the middle eastern victim's network using Crambus-controlled network infrastructure and a Powruner tool known to be tied to Crambus.

In the instance of the middle eastern victim, Crambus was the first to compromise the victim's network with the earliest evidence of the group's activity detected in 2017. Waterbug came along on 11 January 2018 and dropped a Waterbug-linked tool (a task scheduler named msfgi.exe) before downloading its modified Mimikatz variant to the same computer using a Crambus command and control (C&C) server the next day.

Advertisement - Article continues below
Advertisement - Article continues below

"The incident leaves many unanswered questions, chiefly relating to Waterbug's motive for using Crambus infrastructure," read the report. Symantec offered four possible explanations:

  • False flag tactics: Waterbug is known for using false flag tactics to throw researchers off their scent, but it begs the question of why it also used its own infrastructure to communicate with other machines on the victim's network.
  • Means of intrusion: It is possible that Waterbug wanted to compromise the target organization, found out that Crambus had already compromised its network, and hijacked Crambus's own infrastructure as a means of gaining access.
  • Mimikatz variant belonged to Crambus: There is a possibility that the version of Mimikatz downloaded by the Crambus infrastructure was actually developed by Crambus. However, the compilation technique and the fact that the only other occasion it was used was linked to Waterbug works against this hypothesis.
  • Opportunistic sowing of confusion: If a false flag operation wasn't planned from the start, it is possible that Waterbug discovered the Crambus intrusion while preparing its attack and opportunistically used it in the hopes of sowing some confusion in the mind of the victim or investigators.
Advertisement - Article continues below

"The organisations need to be on their toes and have to watch out for any weird behaviour in their networks," said Boris Cipot, senior security engineer at Synopsys. "Even if the signatures of the malware were found - and you should search for those in your network - there is no saying what is still out there and what could be lurking under the hood of this attack."

Waterbug's operations over the 18-month monitoring period were split into three separate campaigns, each characterised by their mode of attack, according to Symantec.

The first campaign involved a brand new backdoor called Neptun which is installed on Microsoft Exchange servers and passively listens for commands from attackers - its passive operation makes it more difficult to detect.

A second campaign used the Meterpreter backdoor which Waterbug has used since early 2018. This one was modified and given a .wav extension to hide its malicious purpose.

Advertisement - Article continues below

The third of a trio of backdoors characterises the third campaign. It used a different customised remote procedure call backdoor like Meterpreter which was formed using code from the PowerShellRunner tool to execute PowerShell scripts without having to use powershell.exe.

"This tool is designed to bypass detection aimed at identifying malicious PowerShell usage," said Symantec. "Prior to execution, the PowerShell scripts were stored Base64-encoded in the registry. This was probably done to avoid them being written to the file system."

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now



K2View innovates in data management with new encryption patent

28 May 2020

ZLoader malware returns as a coronavirus phishing scam

27 May 2020

AnarchyGrabber hack steals Discord tokens, IDs and passwords

27 May 2020

Scammers leverage contact-tracing in hacking attempt

27 May 2020

Most Popular

Microsoft Windows

Microsoft warns users not to install Windows 10's May update

28 May 2020
Server & storage

Dell EMC PowerEdge R7525 review: An EPYC core density to make Intel weep

26 May 2020
Network & Internet

Intel releases Wi-Fi and Bluetooth driver updates for Windows 10

26 May 2020