A sophisticated phishing operation lasting over four years has impacted hundreds of companies across various sectors, according to a report by cybersecurity firm SOCRadar. This operation, named Operation HookedWing, has continued to evolve since its initial documentation in 2022, maintaining core strategies while adapting its methods.
Widespread Impact and Stolen Credentials
Throughout its duration, Operation HookedWing has compromised more than 2,000 user credentials from over 500 organizations, affecting industries such as aviation, travel, energy, financial services, government, and technology. The campaign’s primary method involved using deceptive emails themed around Microsoft and Outlook, leveraging GitHub domains and compromised servers.
From 2024 onwards, the phishing group expanded its language targets to include French and continued to utilize GitHub for its malicious activities. They also diversified their attack methods by concealing domain names and adding new themes and landing pages to their tactics.
Infrastructure and Targeting Strategies
SOCRadar has identified numerous command-and-control (C&C) servers linked to Operation HookedWing, along with over 100 GitHub domains and several distribution domains on other platforms. The campaign’s targeting is strategic, focusing on infrastructures of significant geopolitical importance, suggesting an intent to access sensitive information and high-value credentials.
The phishing emails are crafted to mimic communications from HR departments or colleagues, using authoritative and urgent language to avoid suspicion. These emails often lead recipients to GitHub repositories or intermediary sites that mimic Microsoft Outlook, enhancing their credibility.
Technical Tactics and Data Collection
The phishing emails feature links that guide victims to landing pages simulating an Outlook environment, complete with personalized text based on the victim’s organization. A background script on these pages validates email addresses and URLs, and collects user credentials along with geolocation data.
Upon attempting to sign in, attackers gain access to a comprehensive set of data from the victim, including email, password, IP address, and organizational domain. This data is crucial for the attackers, providing them with valuable information that can be exploited or sold.
As phishing campaigns continue to evolve, organizations must remain vigilant and employ robust cybersecurity measures to protect against such threats. Continuous monitoring and education are key to mitigating the risks associated with these sophisticated cyber attacks.
