How a suspected nation state cyber campaign turned out to be a lone hacker in Nigeria

A hacker in his mid-20's who used the motto "get rich or die trying" on social media has been linked to a series of cyberattacks against global companies in the energy, construction, mining, oil and infrastructure sectors that were initially believed to be state-sponsored operations.

That's according to Check Point, a global cybersecurity firm headquartered in Israel and the United States, which released a blog post this week (15 August) claiming that the culprit, a Nigerian national, used malware and phishing to hit more than 4,000 companies in total.

The campaign was launched in April this year and Check Point first became aware of the activity after some of its customers were targeted, later forwarding a selection of suspicious emails for investigation.

Given the targets hit in the campaign, experts believed that it may have been nation-state activity.

Researchers theorised that because the attacks were global in scale and targeting such major organisations an "expert gang" could have been involved.

Most governments have sanctioned hacking units that break into computer networks for espionage purposes.

Upon investigation, however, Check Point discovered that it was instead the work of a "lone Nigerian national" living near the country's capital city. The security company is now cooperating with regional police and has not released the suspect's name.

His campaign, the blog post said, used malware-laced emails which appeared to originate from oil and gas giant Saudi Aramco, targeting financial staff within targeted companies to trick them into revealing company bank details or open the infected attachment.

Saudi Aramco is the state-owned oil company of Saudi Arabia and is one of the world's top exporters of crude oil and natural gas resources.

Upon inspection, the attack method used was branded "crude and unsophisticated". The reason why the campaign remained noteworthy, however, is because 14 victims still fell for the scam. It only reinforced the fact that phishing emails are still a major threat to businesses.

Victims reportedly included a marine and energy solutions company in Croatia, a mining company in Egypt, a construction company in Dubai and an oil and gas firm in Kuwait.

The hacker reportedly made "thousands of dollars in the process", Check Point said.

But an exact figure of his illicit profit was not revealed by the researchers.

The hacker allegedly used a remote access Trojan (RAT) called NetWire to help control infected computers alongside a keylogging programme known as Hawkeye.

The attacks were launched using email addresses from standard Yahoo domains, with little attempt to hide the addresses from being identified. It was all very amateur, experts stressed.

Maya Horowitz, threat intelligence manager at Check Point, commented: "Even though this individual is using low-quality phishing emails, and generic malware which is easy to find online, his campaign has still been able to infect several organisations.

"It shows just how easy it is for a relatively unskilled hacker to launch a large-scale campaign that successfully breaches the defences of even large companies, enabling them to commit fraud.

"This emphasises the need for organisations to educate employees to be cautious about opening emails, even from companies or individuals that they recognise."

The ultimate lesson: phishing still works. It is used by everyone from nation state hackers to low-level cybercriminal gangs because it exploits human trust and a lack of education. If you want to learn more about the digital threat, check out IBTimes UK's guide here.