Waterbug hackers hijack rivals to launch cyber attacks

Hacker typing on a keyboard
(Image credit: Bigstock)

The Waterbug cyber espionage group has continued to successfully attack government institutions across the globe with a refreshed toolkit and a novel method of malware distribution.

A report by Symantec which surveilled the cyber group over a period of 18 months found that the group was using a new, previously unseen backdoor named 'Neptun' and also hijacked a rival espionage group's infrastructure which it used to launch other cyber attacks.

Since early 2018 Waterbug has successfully attacked 13 organisations across 10 different countries, most of which were government offices in different continents including Latin America, Middle East, Europe and South Asia.

One of the most notable extracts from the whole report was the hijacking of Crambus group's infrastructure to deliver malware to a victim's network, through what Symantec describes as a "hostile takeover".

The malware used by Waterbug was a "heavily modified" version of the widely-available hacking tool Mimikatz that appears to be unique to Waterbug. The malware was downloaded to the middle eastern victim's network using Crambus-controlled network infrastructure and a Powruner tool known to be tied to Crambus.

In the instance of the middle eastern victim, Crambus was the first to compromise the victim's network with the earliest evidence of the group's activity detected in 2017. Waterbug came along on 11 January 2018 and dropped a Waterbug-linked tool (a task scheduler named msfgi.exe) before downloading its modified Mimikatz variant to the same computer using a Crambus command and control (C&C) server the next day.

"The incident leaves many unanswered questions, chiefly relating to Waterbug's motive for using Crambus infrastructure," read the report. Symantec offered four possible explanations:

  • False flag tactics: Waterbug is known for using false flag tactics to throw researchers off their scent, but it begs the question of why it also used its own infrastructure to communicate with other machines on the victim's network.
  • Means of intrusion: It is possible that Waterbug wanted to compromise the target organization, found out that Crambus had already compromised its network, and hijacked Crambus's own infrastructure as a means of gaining access.
  • Mimikatz variant belonged to Crambus: There is a possibility that the version of Mimikatz downloaded by the Crambus infrastructure was actually developed by Crambus. However, the compilation technique and the fact that the only other occasion it was used was linked to Waterbug works against this hypothesis.
  • Opportunistic sowing of confusion: If a false flag operation wasn't planned from the start, it is possible that Waterbug discovered the Crambus intrusion while preparing its attack and opportunistically used it in the hopes of sowing some confusion in the mind of the victim or investigators.

"The organisations need to be on their toes and have to watch out for any weird behaviour in their networks," said Boris Cipot, senior security engineer at Synopsys. "Even if the signatures of the malware were found - and you should search for those in your network - there is no saying what is still out there and what could be lurking under the hood of this attack."

Waterbug's operations over the 18-month monitoring period were split into three separate campaigns, each characterised by their mode of attack, according to Symantec.

The first campaign involved a brand new backdoor called Neptun which is installed on Microsoft Exchange servers and passively listens for commands from attackers - its passive operation makes it more difficult to detect.

A second campaign used the Meterpreter backdoor which Waterbug has used since early 2018. This one was modified and given a .wav extension to hide its malicious purpose.

The third of a trio of backdoors characterises the third campaign. It used a different customised remote procedure call backdoor like Meterpreter which was formed using code from the PowerShellRunner tool to execute PowerShell scripts without having to use powershell.exe.

"This tool is designed to bypass detection aimed at identifying malicious PowerShell usage," said Symantec. "Prior to execution, the PowerShell scripts were stored Base64-encoded in the registry. This was probably done to avoid them being written to the file system."

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.