Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

2/17/2017
03:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

At Least 70 Organizations Targeted In Sophisticated Cyber Surveillance Operation

Most of the targets are in Ukraine, though a few have been spotted in Russia and elsewhere, CyberX says

At least 70 organizations across multiple industries including critical infrastructure, scientific research and media have been hit in a sophisticated cyber-surveillance campaign conducted by threat actors with potential nation state connections.

A majority of the victim organizations are Ukraine based, though a handful of targets have also been spotted in Russia, Austria and Saudi Arabia as well. 

Security vendor CyberX uncovered the operation after discovering malware used in the attacks in the wild and then reverse engineering it.

The company has dubbed the campaign Operation BugDrop because one of the methods employed by the threat actors behind it to collect data is to eavesdrop on conversations via the victim’s PC microphone. The tactic is highly effective because a computer microphone, unlike a video camera, is almost impossible to block without actually disabling the associated hardware, CyberX noted in a blog.

The focus of BugDrop appears to be to capture a range of sensitive information from targets via audio recordings of conversations and via documents, screenshots and passwords from victim system, according to CyberX.

The targeting of the victims is similar to that of Operation Groundbait, a cyber surveillance campaign uncovered by ESET last May.

As with the Groundbait campaign, many of the victims of BugDrop are located in Luhansk and Donetsk, two states that have proclaimed themselves to be independent from Ukraine and are regarded as terrorist states for that reason by the government there. Many of the tactics, techniques and procedures used in the BugDrop campaign — including the use of spear phishing emails and malicious macros — are also similar to those used in Groundbait.

Even so, BugDrop appears to be a more sophisticated and better-resourced operation than Groundbait, says Phil Neray, vice president of industrial control security at CyberX.

For example, the operators of BugDrop are using DropBox to store data exfiltrated from victim systems, making it harder to spot the illegal activity. “DropBox is a cloud-based service and it is very easy to upload data to it without having any firewalls or monitoring systems see anything suspicious or unusual” Neray says. All data stored in DropBox is also encrypted.

The malware itself is stored on a free web hosting service, which makes it harder to track the threat actors behind it. In contrast, the operators of Groundbait hosted their malware on a command and control server on a domain they had created thereby giving investigators a way to get clues to their identity from the registration details.

Operation BugDrop also employs a sophisticated malware detection evasion technique known as Reflective DLL Injection to inject malicious code on victim systems, Neray says. The method involves loading malicious code into memory without calling the usual Windows API call so as to bypass security verification of the code. The same approach was used in the BlackEnergy campaign on Ukraine’s electric grid, and in Stuxnet attacks in Iran, he noted.

Another pointer to the sophistication and resources available to the operators of BugDrop comes from the amount and type of data being collected and presumably analyzed.  At least 2 GB to 3 GB of unstructured data are being uploaded to the DropBox accounts daily.

This means the operators of BugDrop must have a sizeable infrastructure for storing and decrypting the data and access to skilled human analysts for extracting value from the data, Neray says.  “If you think about it, this is not like credit card data,” he says. “You need to have human analysts to look at the data.”

The organizational and logistical planning required for analyzing unstructured data at this scale daily suggests nation-state level capabilities he says.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Florida Town Pays $600K to Ransomware Operators
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
Pledges to Not Pay Ransomware Hit Reality
Robert Lemos, Contributing Writer,  6/21/2019
AWS CISO Talks Risk Reduction, Development, Recruitment
Kelly Sheridan, Staff Editor, Dark Reading,  6/25/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12888
PUBLISHED: 2019-06-26
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2019-12887. Reason: This candidate is a reservation duplicate of CVE-2019-12887. Notes: All CVE users should reference CVE-2019-12887 instead of this candidate. All references and descriptions in this candidate have been removed to preve...
CVE-2019-12280
PUBLISHED: 2019-06-25
PC-Doctor Toolbox before 7.3 has an Uncontrolled Search Path Element.
CVE-2019-3961
PUBLISHED: 2019-06-25
Nessus versions 8.4.0 and earlier were found to contain a reflected XSS vulnerability due to improper validation of user-supplied input. An unauthenticated, remote attacker could potentially exploit this vulnerability via a specially crafted request to execute arbitrary script code in a users browse...
CVE-2019-9836
PUBLISHED: 2019-06-25
Secure Encrypted Virtualization (SEV) on Advanced Micro Devices (AMD) Platform Security Processor (PSP; aka AMD Secure Processor or AMD-SP) 0.17 build 11 and earlier has an insecure cryptographic implementation.
CVE-2019-6328
PUBLISHED: 2019-06-25
HP Support Assistant 8.7.50 and earlier allows a user to gain system privilege and allows unauthorized modification of directories or files. Note: A different vulnerability than CVE-2019-6329.