State-sponsored Spy Campaign Targets Ukrainian Infrastructure

Written by

CyberX has discovered a new, large-scale cyber-reconnaissance operation targeting a broad range of targets in the Ukraine, eavesdropping on sensitive conversations by remotely controlling PC microphones to surreptitiously bug its targets.

Because it uses Dropbox to store exfiltrated data, CyberX has named it “Operation BugDrop.”

The operation seeks to capture a range of sensitive information from its targets including audio recordings of conversations, screen shots, documents and passwords. Unlike video recordings, which are often blocked by users simply placing tape over the camera lens, it is virtually impossible to block your computer’s microphone without physically accessing and disabling the PC hardware.

Operation BugDrop infects its victims using targeted email phishing attacks and malicious macros embedded in Microsoft Office attachments. It also uses clever social engineering to trick users into enabling macros if they aren’t already enabled.

The security firm has confirmed at least 70 victims successfully targeted by the operation in a range of sectors, including critical infrastructure, media and scientific research. These include a company that designs remote monitoring systems for oil and gas pipeline infrastructures; an international organization that monitors human rights, counter-terrorism and cyberattacks on critical infrastructure in the Ukraine; and an engineering company that designs electrical substations, gas distribution pipelines and water supply plants.

Most of the targets are located in the Ukraine, but there are also targets in Russia and a smaller number of targets in Saudi Arabia and Austria. Many targets are located in the self-declared separatist states of Donetsk and Luhansk, which have been classified as terrorist organizations by the Ukrainian government.

“Operation BugDrop is a well-organized operation that employs sophisticated malware and appears to be backed by an organization with substantial resources,” said CyberX, in an analysis. “In particular, the operation requires a massive back-end infrastructure to store, decrypt and analyze several GB per day of unstructured data that is being captured from its targets. A large team of human analysts is also required to manually sort through captured data and process it manually and/or with Big Data-like analytics.”

Initially, CyberX saw similarities between Operation BugDrop and a previous cyber-surveillance operation discovered by ESET in May 2016 called Operation Groundbait. However, despite some similarities in the tactics, techniques and procedures (TTPs) used by the hackers in both operations, Operation BugDrop’s TTPs are significantly more sophisticated than those used in the earlier operation. For example, as mentioned, it uses Dropbox for data exfiltration, a clever approach because Dropbox traffic is typically not blocked or monitored by corporate firewalls.

And, it uses reflective DLL Injection, an advanced technique for injecting malware that was also used by BlackEnergy in the Ukrainian grid attacks and by Duqu in the Stuxnet attacks on Iranian nuclear facilities. Reflective DLL Injection loads malicious code without calling the normal Windows API calls, thereby bypassing security verification of the code before its gets loaded into memory. Encrypted DLLs, thereby avoiding detection by common anti-virus and sandboxing systems because they’re unable to analyze encrypted files.

The perpetrators are likely nation-state backed.

“Skilled hackers with substantial financial resources carried out Operation BugDrop,” CyberX noted. “Given the amount of data analysis that needed to be done on [a] daily basis, we believe BugDrop was heavily staffed. Given the sophistication of the code and how well the operation was executed, we have concluded that those carrying it out have previous field experience. While we are comfortable assigning nation-state level capabilities to this operation, we have no forensic evidence that links BugDrop to a specific nation-state or group. Attribution is notoriously difficult, with the added difficulty that skilled hackers can easily fake clues or evidence to throw people off their tail.”

What’s hot on Infosecurity Magazine?