Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Many Ukrainian Organizations Targeted in Reconnaissance Operation

CyberX, a company that specializes in ICS security, has been monitoring a well-organized campaign that has targeted at least 70 entities with ties to Ukraine, including the country’s critical infrastructure.

CyberX, a company that specializes in ICS security, has been monitoring a well-organized campaign that has targeted at least 70 entities with ties to Ukraine, including the country’s critical infrastructure.

The campaign, dubbed Operation BugDrop, has been underway since at least June 2016. It involves malware delivered via spear phishing emails and malicious macro-enabled Office documents.

The BugDrop malware is capable of collecting system information, passwords and other browser data, and audio from the microphone. It can also steal files from local, shared and USB drives, including documents, spreadsheets, presentations, archives, databases and text files.

Each of these capabilities is provided by a different module, but researchers determined that not all modules are deployed on every infected device. Based on its analysis, CyberX believes BugDrop is a reconnaissance operation and it could represent the first phase of a campaign with broader objectives.

The main module, which downloads the other components, is designed to upload the stolen data to a specified Dropbox account. Experts believe the malware uses Dropbox for exfiltration because the file sharing service is often not blocked or monitored by firewalls.

The malware also includes various anti-reverse engineering mechanisms, including checking for debuggers, virtual environments, WireShark and Process Explorer. The malware also attempts to evade detection by using encrypted DLLs and a technique called reflective DLL injection, which had also been leveraged by BlackEnergy and Duqu.

CyberX said a majority of the targets of Operation BugDrop are located or have an interest in Ukraine, but the attackers have also targeted entities in Russia, Saudi Arabia and Austria. Many of the Ukrainian organizations are located in the self-proclaimed states of Donetsk and Luhansk.

The list of victims includes an international organization that monitors human rights, counter-terrorism, and cyberattacks on critical infrastructure in Ukraine; a firm specializing in remote monitoring systems for oil and gas pipeline infrastructure; an energy company that designs gas pipelines, electrical substations, and water supply plants; a Ukrainian newspaper; and a scientific research institute.

Advertisement. Scroll to continue reading.

“The operation requires a massive back-end infrastructure to store, decrypt and analyze several GB per day of unstructured data that is being captured from its targets. A large team of human analysts is also required to manually sort through captured data and process it manually and/or with Big Data-like analytics,” CyberX said in its report.

Based on its sophistication, CyberX believes the campaign is likely run by a state-sponsored actor, but the company has not named any country.

The security firm noted that there are many similarities to Operation Groundbait, a campaign detailed by ESET in May 2016. Operation Groundbait also targeted organizations in Ukraine and it also leveraged modular malware to steal data. ESET determined that it could be the work of a politically-motivated group from within Ukraine, which led the company to classify it as cyber surveillance.

However, CyberX believes Operation BugDrop is more sophisticated. For instance, Dropbox was not used for exfiltration in Operation Groundbait, and BugDrop used legitimate free web hosting to store its malware, as opposed to Groundbait attackers which paid for their domains and IP addresses.

Furthermore, the malware used in BugDrop was compiled one month after ESET published its report. Experts believe the two campaigns are either not related or the attackers decided to change their tactics, techniques and procedures after their activities were exposed.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...