CyberX Discovers Operation BugDrop: A Large-Scale Cyber-Reconnaissance Operation Targeting Ukrainian Organizations
Sophisticated operation uses Dropbox to store exfiltrated data including audio recordings of sensitive conversations, screen shots, documents and passwords
February 16, 2017 --
BOSTON, Feb. 16, 2017 /PRNewswire/ -- CyberX, providers of the most widely deployed industrial cybersecurity platform, today announced the discovery of a new, large-scale cyber-reconnaissance operation targeting a broad range of targets in the Ukraine. Because it eavesdrops on sensitive conversations by remotely controlling PC microphones in order to surreptitiously "bug" its targets and uses Dropbox to store exfiltrated data, CyberX has named it "Operation BugDrop." The full report on Operation BugDrop including Indicators of Compromise (IoCs) can be found on the CyberX blog.
Operation BugDrop: Targets
CyberX has confirmed at least 70 victims successfully targeted by the operation in a range of sectors including critical infrastructure, media, and scientific research. The operation seeks to capture a range of sensitive information including audio recordings of conversations, screen shots, documents and passwords. Unlike video recordings, which are often blocked by users simply placing tape over the camera lens, it is virtually impossible to block your computer's microphone without physically accessing and disabling the PC hardware.
Most of BugDrop's targets are located in the Ukraine, but there are also some in Russia and a small number in Saudi Arabia and Austria. Many targets are located in the self-declared separatist states of Donetsk and Luhansk, regions classified as terrorist organizations by the Ukrainian government. CyberX believes the cyber-reconnaissance operation has been underway since June 2016.
Examples of Operation BugDrop targets identified by CyberX so far include:
- A company that designs remote monitoring systems for oil & gas pipeline infrastructures.
- An international organization that monitors human rights, counter-terrorism and cyberattacks on critical infrastructure in the Ukraine.
- An engineering company that designs electrical substations, gas distribution pipelines and water supply plants.
- A scientific research institute.
- Editors of two Ukrainian newspapers.
Operation BugDrop is a well-organized operation that employs sophisticated malware and appears to be backed by an organization with substantial resources. In particular, the operation requires a massive back-end infrastructure to store, decrypt and analyze several Gigabytes per day of unstructured data that is being captured from its targets. A large team of human analysts is also required to manually sort through captured data and process it manually or with Big Data-like analytics.
The operation's Tactics, Techniques and Procedures (TTPs) are also sophisticated. For example, it uses:
- Dropbox for data exfiltration, a clever approach because Dropbox traffic is a widely used cloud service that is typically not blocked or monitored by corporate firewalls.
- Reflective DLL Injection, an advanced technique for injecting malware that was also used by BlackEnergy in the Ukrainian grid attacks and by Duqu in the Stuxnet attacks on Iranian nuclear facilities. Reflective DLL Injection loads malicious code without calling the normal Windows API calls, thereby bypassing security verification of the code before its gets loaded into memory.
- Encrypted DLLs, thereby avoiding detection by common anti-virus and sandboxing systems because they're unable to analyze encrypted files.
- Using legitimate free web hosting sites for command-and-control infrastructure. C&C servers are a potential pitfall for attackers as investigators can often identify attackers using registration details for the C&C server obtained via freely available tools such as whois and PassiveTotal. Free web hosting sites, on the other hand, require little or no registration information. Operation BugDrop uses a free web-hosting site to store the core malware module that gets downloaded to infected victims. In comparison, the Groundbait attackers registered and paid for their own malicious domains and IP addresses.
"There's been a lot of cyber activity in the Ukraine but what makes this one stand out is its scale and the amount of human and logistical resources required to analyze such massive amounts of unstructured stolen data. Clearly, these cyber-operatives know what they're doing," said Nir Giller, CTO, CyberX. "To prevent theft of corporate intellectual property and disruption of production operations, organizations of all types need to implement better detection of targeted attacks like these. Continuous monitoring of both IT and OT networks, and ongoing access to actionable threat intelligence, are two fundamental building blocks for modern cyberdefense."
Founded in 2013 by IDF cyber experts, CyberX provides the most widely deployed platform for securing industrial control systems (ICS). The CyberX platform combines continuous, non-invasive vulnerability monitoring and advanced behavioral analytics with proprietary ICS-specific threat intelligence. This enables critical infrastructure and industrial organizations to immediately detect risk and mitigate risk, including targeted threats and industrial malware in their Operational Technology (OT) networks.
CyberX has racked up numerous awards and industry accolades including being named a "Cool Vendor" by Gartner. CyberX is also the only industrial cybersecurity vendor selected for the SINET16 Innovator Award sponsored by the US DHS and DoD, and the only ICS security vendor recognized by the International Society of Automation (ISA).
An active member of the Industrial Internet Consortium (IIC) and the ICS-ISAC, CyberX also provides groundbreaking ICS threat intelligence research that was recently featured in the popular McGraw-Hill book series, "Hacking Exposed ICS." For more information visit CyberX-Labs.com.
Looking Glass Public Relations
To view the original version on PR Newswire, visit:http://www.prnewswire.com/news-releases/cyberx-discovers-operation-bugdrop-a-large-scale-cyber-reconnaissance-operation-targeting-ukrainian-organizations-300408969.html
Copyright 2014 PR Newswire. All Rights Reserved