Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Many Ukrainian Organizations Targeted in Reconnaissance Operation

CyberX, a company that specializes in ICS security, has been monitoring a well-organized campaign that has targeted at least 70 entities with ties to Ukraine, including the country’s critical infrastructure.

CyberX, a company that specializes in ICS security, has been monitoring a well-organized campaign that has targeted at least 70 entities with ties to Ukraine, including the country’s critical infrastructure.

The campaign, dubbed Operation BugDrop, has been underway since at least June 2016. It involves malware delivered via spear phishing emails and malicious macro-enabled Office documents.

The BugDrop malware is capable of collecting system information, passwords and other browser data, and audio from the microphone. It can also steal files from local, shared and USB drives, including documents, spreadsheets, presentations, archives, databases and text files.

Each of these capabilities is provided by a different module, but researchers determined that not all modules are deployed on every infected device. Based on its analysis, CyberX believes BugDrop is a reconnaissance operation and it could represent the first phase of a campaign with broader objectives.

The main module, which downloads the other components, is designed to upload the stolen data to a specified Dropbox account. Experts believe the malware uses Dropbox for exfiltration because the file sharing service is often not blocked or monitored by firewalls.

The malware also includes various anti-reverse engineering mechanisms, including checking for debuggers, virtual environments, WireShark and Process Explorer. The malware also attempts to evade detection by using encrypted DLLs and a technique called reflective DLL injection, which had also been leveraged by BlackEnergy and Duqu.

CyberX said a majority of the targets of Operation BugDrop are located or have an interest in Ukraine, but the attackers have also targeted entities in Russia, Saudi Arabia and Austria. Many of the Ukrainian organizations are located in the self-proclaimed states of Donetsk and Luhansk.

Advertisement. Scroll to continue reading.

The list of victims includes an international organization that monitors human rights, counter-terrorism, and cyberattacks on critical infrastructure in Ukraine; a firm specializing in remote monitoring systems for oil and gas pipeline infrastructure; an energy company that designs gas pipelines, electrical substations, and water supply plants; a Ukrainian newspaper; and a scientific research institute.

“The operation requires a massive back-end infrastructure to store, decrypt and analyze several GB per day of unstructured data that is being captured from its targets. A large team of human analysts is also required to manually sort through captured data and process it manually and/or with Big Data-like analytics,” CyberX said in its report.

Based on its sophistication, CyberX believes the campaign is likely run by a state-sponsored actor, but the company has not named any country.

The security firm noted that there are many similarities to Operation Groundbait, a campaign detailed by ESET in May 2016. Operation Groundbait also targeted organizations in Ukraine and it also leveraged modular malware to steal data. ESET determined that it could be the work of a politically-motivated group from within Ukraine, which led the company to classify it as cyber surveillance.

However, CyberX believes Operation BugDrop is more sophisticated. For instance, Dropbox was not used for exfiltration in Operation Groundbait, and BugDrop used legitimate free web hosting to store its malware, as opposed to Groundbait attackers which paid for their domains and IP addresses.

Furthermore, the malware used in BugDrop was compiled one month after ESET published its report. Experts believe the two campaigns are either not related or the attackers decided to change their tactics, techniques and procedures after their activities were exposed.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...