Symantec: Waterbug Hijacks Crambus Toolset

Symantec has released new information about the Waterbug attack group. The group has continued to attack governments and international organisations over the past eighteen months in a series of campaigns that have featured a rapidly evolving toolset and, in one notable instance, the apparent hijacking of another espionage group’s infrastructure.

Waterbug’s most recent campaigns have involved a swath of new tools including custom malware, modified versions of publicly available hacking tools, and legitimate administration tools. The group has also followed the current shift towards “living off the land,” making use of PowerShell scripts and PsExec, a Microsoft Sysinternals tool used for executing processes on other systems.

Victims of Waterbug include government departments such as Foreign Affairs ministries in Europe, the Middle East and Latin America.

During an attack against a target in the Middle East, Waterbug appeared to hijack infrastructure from the Crambus espionage group and used it to deliver malware on to the victim’s network. While it is possible that the two groups may have been collaborating, Symantec hasn’t found further evidence to support this. It’s most likely that Waterbug’s use of Crambus infrastructure was a hostile takeover.

There are several potential, unconfirmed motives behind Waterbug’s takeover of Crambus infrastructure. Waterbug does have a track record of using false flag tactics to confuse investigators, but it’s also possible that the group strategically hijacked Crambus’s infrastructure as a means of gaining access to the target organisations.

To read the full Threat Intelligence Report please go to

%d bloggers like this: