Welcome!

News Feed Item

CyberX Discovers Operation BugDrop: A Large-Scale Cyber-Reconnaissance Operation Targeting Ukrainian Organizations

Sophisticated operation uses Dropbox to store exfiltrated data including audio recordings of sensitive conversations, screen shots, documents and passwords

BOSTON, Feb. 16, 2017 /PRNewswire/ -- CyberX, providers of the most widely deployed industrial cybersecurity platform, today announced the discovery of a new, large-scale cyber-reconnaissance operation targeting a broad range of targets in the Ukraine. Because it eavesdrops on sensitive conversations by remotely controlling PC microphones – in order to surreptitiously "bug" its targets – and uses Dropbox to store exfiltrated data, CyberX has named it "Operation BugDrop."  The full report on Operation BugDrop including Indicators of Compromise (IoCs) can be found on the CyberX blog.

Operation BugDrop: Targets

CyberX has confirmed at least 70 victims successfully targeted by the operation in a range of sectors including critical infrastructure, media, and scientific research.  The operation seeks to capture a range of sensitive information including audio recordings of conversations, screen shots, documents and passwords. Unlike video recordings, which are often blocked by users simply placing tape over the camera lens, it is virtually impossible to block your computer's microphone without physically accessing and disabling the PC hardware.

Most of BugDrop's targets are located in the Ukraine, but there are also some in Russia and a small number in Saudi Arabia and Austria. Many targets are located in the self-declared separatist states of Donetsk and Luhansk, regions classified as terrorist organizations by the Ukrainian government.  CyberX believes the cyber-reconnaissance operation has been underway since June 2016.

Examples of Operation BugDrop targets identified by CyberX so far include:

  • A company that designs remote monitoring systems for oil & gas pipeline infrastructures.
  • An international organization that monitors human rights, counter-terrorism and cyberattacks on critical infrastructure in the Ukraine.
  • An engineering company that designs electrical substations, gas distribution pipelines and water supply plants.
  • A scientific research institute.
  • Editors of two Ukrainian newspapers.

Operation BugDrop is a well-organized operation that employs sophisticated malware and appears to be backed by an organization with substantial resources.  In particular, the operation requires a massive back-end infrastructure to store, decrypt and analyze several Gigabytes per day of unstructured data that is being captured from its targets.  A large team of human analysts is also required to manually sort through captured data and process it manually or with Big Data-like analytics.

The operation's Tactics, Techniques and Procedures (TTPs) are also sophisticated.  For example, it uses:

  • Dropbox for data exfiltration, a clever approach because Dropbox traffic is a widely used cloud service that is typically not blocked or monitored by corporate firewalls.
  • Reflective DLL Injection, an advanced technique for injecting malware that was also used by BlackEnergy in the Ukrainian grid attacks and by Duqu in the Stuxnet attacks on Iranian nuclear facilities.  Reflective DLL Injection loads malicious code without calling the normal Windows API calls, thereby bypassing security verification of the code before its gets loaded into memory.
  • Encrypted DLLs, thereby avoiding detection by common anti-virus and sandboxing systems because they're unable to analyze encrypted files.
  • Using legitimate free web hosting sites for command-and-control infrastructureC&C servers are a potential pitfall for attackers as investigators can often identify attackers using registration details for the C&C server obtained via freely available tools such as whois and PassiveTotal.  Free web hosting sites, on the other hand, require little or no registration information.  Operation BugDrop uses a free web-hosting site to store the core malware module that gets downloaded to infected victims.  In comparison, the Groundbait attackers registered and paid for their own malicious domains and IP addresses.

"There's been a lot of cyber activity in the Ukraine – but what makes this one stand out is its scale and the amount of human and logistical resources required to analyze such massive amounts of unstructured stolen data.  Clearly, these cyber-operatives know what they're doing," said Nir Giller, CTO, CyberX.  "To prevent theft of corporate intellectual property and disruption of production operations, organizations of all types need to implement better detection of targeted attacks like these.  Continuous monitoring of both IT and OT networks, and ongoing access to actionable threat intelligence, are two fundamental building blocks for modern cyberdefense."

About CyberX
Founded in 2013 by IDF cyber experts, CyberX provides the most widely deployed platform for securing industrial control systems (ICS).  The CyberX platform combines continuous, non-invasive vulnerability monitoring and advanced behavioral analytics with proprietary ICS-specific threat intelligence. This enables critical infrastructure and industrial organizations to immediately detect risk and mitigate risk, including targeted threats and industrial malware in their Operational Technology (OT) networks.

CyberX has racked up numerous awards and industry accolades including being named a  "Cool Vendor" by Gartner.  CyberX is also the only industrial cybersecurity vendor selected for the SINET16 Innovator Award sponsored by the US DHS and DoD, and the only ICS security vendor recognized by the International Society of Automation (ISA).

An active member of the Industrial Internet Consortium (IIC) and the ICS-ISAC, CyberX also provides groundbreaking ICS threat intelligence research that was recently featured in the popular McGraw-Hill book series, "Hacking Exposed ICS." For more information visit CyberX-Labs.com.

Media Contact:
Elizabeth Safran
Looking Glass Public Relations
408-348-1214 (cell)
[email protected]

To view the original version on PR Newswire, visit:http://www.prnewswire.com/news-releases/cyberx-discovers-operation-bugdrop-a-large-scale-cyber-reconnaissance-operation-targeting-ukrainian-organizations-300408969.html

SOURCE CyberX

More Stories By PR Newswire

Copyright © 2007 PR Newswire. All rights reserved. Republication or redistribution of PRNewswire content is expressly prohibited without the prior written consent of PRNewswire. PRNewswire shall not be liable for any errors or delays in the content, or for any actions taken in reliance thereon.

Latest Stories
SYS-CON Events announced today that Dasher Technologies will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Dasher Technologies, Inc. ® is a premier IT solution provider that delivers expert technical resources along with trusted account executives to architect and deliver complete IT solutions and services to help our clients execute their goals, plans and objectives. Since 1999, we'v...
Though cloud is the future of enterprise computing, a smooth transition of legacy applications and systems is critical for seamless business operations. IT professionals are eager to start leveraging the cost, scale and other benefits of cloud, but with massive investments already in place in existing infrastructure and a number of compliance and resource hurdles, it can be challenging to move to a cloud-based infrastructure.
SYS-CON Events announced today that NetApp has been named “Bronze Sponsor” of SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. NetApp is the data authority for hybrid cloud. NetApp provides a full range of hybrid cloud data services that simplify management of applications and data across cloud and on-premises environments to accelerate digital transformation. Together with their partners, NetApp emp...
In his session at 21st Cloud Expo, Raju Shreewastava, founder of Big Data Trunk, will provide a fun and simple way to introduce Machine Leaning to anyone and everyone. Together we will solve a machine learning problem and find an easy way to be able to do machine learning without even coding. Raju Shreewastava is the founder of Big Data Trunk (www.BigDataTrunk.com), a Big Data Training and consulting firm with offices in the United States. He previously led the data warehouse/business intellige...
SYS-CON Events announced today that TidalScale, a leading provider of systems and services, will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. TidalScale has been involved in shaping the computing landscape. They've designed, developed and deployed some of the most important and successful systems and services in the history of the computing industry - internet, Ethernet, operating s...
SYS-CON Events announced today that IBM has been named “Diamond Sponsor” of SYS-CON's 21st Cloud Expo, which will take place on October 31 through November 2nd 2017 at the Santa Clara Convention Center in Santa Clara, California.
Infoblox delivers Actionable Network Intelligence to enterprise, government, and service provider customers around the world. They are the industry leader in DNS, DHCP, and IP address management, the category known as DDI. We empower thousands of organizations to control and secure their networks from the core-enabling them to increase efficiency and visibility, improve customer service, and meet compliance requirements.
In his session at 21st Cloud Expo, Michael Burley, a Senior Business Development Executive in IT Services at NetApp, will describe how NetApp designed a three-year program of work to migrate 25PB of a major telco's enterprise data to a new STaaS platform, and then secured a long-term contract to manage and operate the platform. This significant program blended the best of NetApp’s solutions and services capabilities to enable this telco’s successful adoption of private cloud storage and launchi...
Data scientists must access high-performance computing resources across a wide-area network. To achieve cloud-based HPC visualization, researchers must transfer datasets and visualization results efficiently. HPC clusters now compute GPU-accelerated visualization in the cloud cluster. To efficiently display results remotely, a high-performance, low-latency protocol transfers the display from the cluster to a remote desktop. Further, tools to easily mount remote datasets and efficiently transfer...
SYS-CON Events announced today that IBM has been named “Diamond Sponsor” of SYS-CON's 21st Cloud Expo, which will take place on October 31 through November 2nd 2017 at the Santa Clara Convention Center in Santa Clara, California.
Cloud Expo, Inc. has announced today that Andi Mann and Aruna Ravichandran have been named Co-Chairs of @DevOpsSummit at Cloud Expo Silicon Valley which will take place Oct. 31-Nov. 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. "DevOps is at the intersection of technology and business-optimizing tools, organizations and processes to bring measurable improvements in productivity and profitability," said Aruna Ravichandran, vice president, DevOps product and solutions marketing...
Join IBM November 1 at 21st Cloud Expo at the Santa Clara Convention Center in Santa Clara, CA, and learn how IBM Watson can bring cognitive services and AI to intelligent, unmanned systems. Cognitive analysis impacts today’s systems with unparalleled ability that were previously available only to manned, back-end operations. Thanks to cloud processing, IBM Watson can bring cognitive services and AI to intelligent, unmanned systems. Imagine a robot vacuum that becomes your personal assistant tha...
In his Opening Keynote at 21st Cloud Expo, John Considine, General Manager of IBM Cloud Infrastructure, will lead you through the exciting evolution of the cloud. He'll look at this major disruption from the perspective of technology, business models, and what this means for enterprises of all sizes. John Considine is General Manager of Cloud Infrastructure Services at IBM. In that role he is responsible for leading IBM’s public cloud infrastructure including strategy, development, and offering ...
In a recent survey, Sumo Logic surveyed 1,500 customers who employ cloud services such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). According to the survey, a quarter of the respondents have already deployed Docker containers and nearly as many (23 percent) are employing the AWS Lambda serverless computing framework. It’s clear: serverless is here to stay. The adoption does come with some needed changes, within both application development and operations. Tha...
SYS-CON Events announced today that Avere Systems, a leading provider of enterprise storage for the hybrid cloud, will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Avere delivers a more modern architectural approach to storage that doesn't require the overprovisioning of storage capacity to achieve performance, overspending on expensive storage media for inactive data or the overbui...