CyberX, a company that specializes in ICS security, has been monitoring a well-organized campaign that has targeted at least 70 entities with ties to Ukraine, including the country’s critical infrastructure.
The campaign, dubbed Operation BugDrop, has been underway since at least June 2016. It involves malware delivered via spear phishing emails and malicious macro-enabled Office documents.
The BugDrop malware is capable of collecting system information, passwords and other browser data, and audio from the microphone. It can also steal files from local, shared and USB drives, including documents, spreadsheets, presentations, archives, databases and text files.
Each of these capabilities is provided by a different module, but researchers determined that not all modules are deployed on every infected device. Based on its analysis, CyberX believes BugDrop is a reconnaissance operation and it could represent the first phase of a campaign with broader objectives.
The main module, which downloads the other components, is designed to upload the stolen data to a specified Dropbox account. Experts believe the malware uses Dropbox for exfiltration because the file sharing service is often not blocked or monitored by firewalls.
The malware also includes various anti-reverse engineering mechanisms, including checking for debuggers, virtual environments, WireShark and Process Explorer. The malware also attempts to evade detection by using encrypted DLLs and a technique called reflective DLL injection, which had also been leveraged by BlackEnergy and Duqu.
CyberX said a majority of the targets of Operation BugDrop are located or have an interest in Ukraine, but the attackers have also targeted entities in Russia, Saudi Arabia and Austria. Many of the Ukrainian organizations are located in the self-proclaimed states of Donetsk and Luhansk.
The list of victims includes an international organization that monitors human rights, counter-terrorism, and cyberattacks on critical infrastructure in Ukraine; a firm specializing in remote monitoring systems for oil and gas pipeline infrastructure; an energy company that designs gas pipelines, electrical substations, and water supply plants; a Ukrainian newspaper; and a scientific research institute.
“The operation requires a massive back-end infrastructure to store, decrypt and analyze several GB per day of unstructured data that is being captured from its targets. A large team of human analysts is also required to manually sort through captured data and process it manually and/or with Big Data-like analytics,” CyberX said in its report.
Based on its sophistication, CyberX believes the campaign is likely run by a state-sponsored actor, but the company has not named any country.
The security firm noted that there are many similarities to Operation Groundbait, a campaign detailed by ESET in May 2016. Operation Groundbait also targeted organizations in Ukraine and it also leveraged modular malware to steal data. ESET determined that it could be the work of a politically-motivated group from within Ukraine, which led the company to classify it as cyber surveillance.
However, CyberX believes Operation BugDrop is more sophisticated. For instance, Dropbox was not used for exfiltration in Operation Groundbait, and BugDrop used legitimate free web hosting to store its malware, as opposed to Groundbait attackers which paid for their domains and IP addresses.
Furthermore, the malware used in BugDrop was compiled one month after ESET published its report. Experts believe the two campaigns are either not related or the attackers decided to change their tactics, techniques and procedures after their activities were exposed.