Weekly Executive Summary for Week of February 24, 2017

Operation BugDrop – Reconnaissance Operation Targeting Ukrainian Critical Infrastructure

ICS security experts at CyberX have uncovered a large-scale reconnaissance operation targeting organizations in Ukraine.  Since June 2016, over 600 gigabytes of data has been taken from 70 victims.  Some of the targets of this operation were a company that monitors oil and gas pipeline infrastructure, an organization monitoring human rights, counter-terrorism, and cyber-attacks on Ukraine’s critical infrastructure, and an engineering company that designs electrical substations, gas distribution pipelines, and water supply plants.

The malware was designed to “bug” computers by using the built-in microphone to record audio conversations.  This is especially worrying because, unlike cameras, it’s extremely difficult to block the microphone on a computer.  It would then exfiltrate the data to Dropbox.  This combination lead to the name Operation BugDrop.

CyberX found that the initial infection was done using spear phishing emails with weaponized Microsoft Word attachments.  Macros were embedded in documents containing a list of personal details of military personnel and the group used a fake image to trick users into enabling macros in order to view the contents.  Once infected, the main module would be installed and data would start being collected through various plug-ins such as File Collector, USB File Collector, Browser Data Collector, Microphone, and Computer Info Collector.

There were similarities to another operation discovered by ESSET, Operation Groundbait, but CyberX found that Operation BugDrop was far more sophisticated in its tactics, techniques, and procedures (TTPS).  The use of Dropbox for exfiltration allowed them to bypass corporate firewalls because they usually don’t block that service.  The group also used free web hosting sites for their command and control servers which let them avoid identification from paid-for hosting.  The malware also had anti-reverse engineering capabilities such as checking if a debugger was present or if it was running in a virtual environment.

Substantial resources were needed to carry out Operation BugDrop.  This knowledge, in addition to the sophistication of the malware and techniques, leads experts to believe that it was a state sponsored operation.  They have not yet attributed it to any group or country.

CyberX ended with noting that both the private and public sectors need to be vigilant for abnormalities on their information technology (IT) and operation technology (OT) networks.  The newly popularized addition of behavioral analytics may help to identify these activities without too many false positives.

Sources: Many Ukrainian Organizations Targeted in Reconnaissance Operation (Security Week), Operation BugDrop (CyberX), Operation Groundbait (ESSET), Operation BugDrop – Hackers siphoned 600GB taking control of PC microphones (Security Affairs)

Note: The purpose of the weekly executive summary is to provide useful information that a business or agency could use in both its cybersecurity and business strategies. In order for this website to serve the community we need to know your concerns and questions about (for example) proper safeguards for technology you’re looking into or what sets of compliance and governance policies would you need to operate a particular business. The CSCC openly invites you to send in your inquiries. We’ll have students research your issues and provide an analysis of the information at hand to guide you with all things cybersecurity. Mail us at: uhwocscc@hawaii.edu