Skip to main content

CyberX discovers operation BugDrop

Published by
World Pipelines,

CyberX, providers of the most widely deployed industrial cybersecurity platform, has announced the discovery of a new, large scale cyber reconnaissance operation targeting a broad range of targets in the Ukraine.

As it eavesdrops on sensitive conversations by remotely controlling PC microphones – in order to surreptitiously "bug" its targets – and uses Dropbox to store exfiltrated data, CyberX has named it "Operation BugDrop."

CyberX has confirmed at least 70 victims successfully targeted by the operation in a range of sectors including critical infrastructure, media, and scientific research. The operation seeks to capture a range of sensitive information including audio recordings of conversations, screen shots, documents and passwords. Unlike video recordings, which are often blocked by users simply placing tape over the camera lens, it is virtually impossible to block your computer's microphone without physically accessing and disabling the PC hardware.

Most of BugDrop's targets are located in the Ukraine, but there are also some in Russia and a small number in Saudi Arabia and Austria. Many targets are located in the self-declared separatist states of Donetsk and Luhansk, regions classified as terrorist organisations by the Ukrainian government. CyberX believes the cyber reconnaissance operation has been underway since June 2016.

Examples of Operation BugDrop targets identified by CyberX so far include:

  • A company that designs remote monitoring systems for oil and gas pipeline infrastructures.
  • An international organisation that monitors human rights, counter-terrorism and cyberattacks on critical infrastructure in the Ukraine.
  • An engineering company that designs electrical substations, gas distribution pipelines and water supply plants.
  • A scientific research institute.
  • Editors of two Ukrainian newspapers.

Operation BugDrop is a well-organised operation that employs sophisticated malware and appears to be backed by an organisation with substantial resources. In particular, the operation requires a massive back-end infrastructure to store, decrypt and analyse several Gigabytes per day of unstructured data that is being captured from its targets. A large team of human analysts is also required to manually sort through captured data and process it manually or with Big Data-like analytics.

The operation's tactics, techniques and procedures (TTPs) are also sophisticated. For example, it uses:

    Dropbox for data exfiltration, a clever approach because Dropbox traffic is a widely used cloud service that is typically not blocked or monitored by corporate firewalls.
  • Reflective DLL Injection, an advanced technique for injecting malware that was also used by BlackEnergy in the Ukrainian grid attacks and by Duqu in the Stuxnet attacks on Iranian nuclear facilities. Reflective DLL Injection loads malicious code without calling the normal Windows API calls, thereby bypassing security verification of the code before its gets loaded into memory.
  • Encrypted DLLs, thereby avoiding detection by common anti-virus and sandboxing systems because they're unable to analyse encrypted files.
  • Using legitimate free web hosting sites for command-and-control infrastructure. C&C servers are a potential pitfall for attackers as investigators can often identify attackers using registration details for the C&C server obtained via freely available tools such as whois and PassiveTotal. Free web hosting sites, on the other hand, require little or no registration information. Operation BugDrop uses a free web-hosting site to store the core malware module that gets downloaded to infected victims. In comparison, the Groundbait attackers registered and paid for their own malicious domains and IP addresses.

"There's been a lot of cyber activity in Ukraine, but what makes this one stand out is its scale and the amount of human and logistical resources required to analyse such massive amounts of unstructured stolen data. Clearly, these cyber-operatives know what they're doing," said Nir Giller, CTO, CyberX.

"To prevent theft of corporate intellectual property and disruption of production operations, organisations of all types need to implement better detection of targeted attacks like these. Continuous monitoring of both IT and OT networks, and ongoing access to actionable threat intelligence, are two fundamental building blocks for modern cyber defence," Giller concluded

Read the article online at:

You might also like


Embed article link: (copy the HTML code below):


This article has been tagged under the following:

Europe pipeline news