Welcome!

News Feed Item

CyberX Discovers Operation BugDrop: A Large-Scale Cyber-Reconnaissance Operation Targeting Ukrainian Organizations

Sophisticated operation uses Dropbox to store exfiltrated data including audio recordings of sensitive conversations, screen shots, documents and passwords

BOSTON, Feb. 16, 2017 /PRNewswire/ -- CyberX, providers of the most widely deployed industrial cybersecurity platform, today announced the discovery of a new, large-scale cyber-reconnaissance operation targeting a broad range of targets in the Ukraine. Because it eavesdrops on sensitive conversations by remotely controlling PC microphones – in order to surreptitiously "bug" its targets – and uses Dropbox to store exfiltrated data, CyberX has named it "Operation BugDrop."  The full report on Operation BugDrop including Indicators of Compromise (IoCs) can be found on the CyberX blog.

Operation BugDrop: Targets

CyberX has confirmed at least 70 victims successfully targeted by the operation in a range of sectors including critical infrastructure, media, and scientific research.  The operation seeks to capture a range of sensitive information including audio recordings of conversations, screen shots, documents and passwords. Unlike video recordings, which are often blocked by users simply placing tape over the camera lens, it is virtually impossible to block your computer's microphone without physically accessing and disabling the PC hardware.

Most of BugDrop's targets are located in the Ukraine, but there are also some in Russia and a small number in Saudi Arabia and Austria. Many targets are located in the self-declared separatist states of Donetsk and Luhansk, regions classified as terrorist organizations by the Ukrainian government.  CyberX believes the cyber-reconnaissance operation has been underway since June 2016.

Examples of Operation BugDrop targets identified by CyberX so far include:

  • A company that designs remote monitoring systems for oil & gas pipeline infrastructures.
  • An international organization that monitors human rights, counter-terrorism and cyberattacks on critical infrastructure in the Ukraine.
  • An engineering company that designs electrical substations, gas distribution pipelines and water supply plants.
  • A scientific research institute.
  • Editors of two Ukrainian newspapers.

Operation BugDrop is a well-organized operation that employs sophisticated malware and appears to be backed by an organization with substantial resources.  In particular, the operation requires a massive back-end infrastructure to store, decrypt and analyze several Gigabytes per day of unstructured data that is being captured from its targets.  A large team of human analysts is also required to manually sort through captured data and process it manually or with Big Data-like analytics.

The operation's Tactics, Techniques and Procedures (TTPs) are also sophisticated.  For example, it uses:

  • Dropbox for data exfiltration, a clever approach because Dropbox traffic is a widely used cloud service that is typically not blocked or monitored by corporate firewalls.
  • Reflective DLL Injection, an advanced technique for injecting malware that was also used by BlackEnergy in the Ukrainian grid attacks and by Duqu in the Stuxnet attacks on Iranian nuclear facilities.  Reflective DLL Injection loads malicious code without calling the normal Windows API calls, thereby bypassing security verification of the code before its gets loaded into memory.
  • Encrypted DLLs, thereby avoiding detection by common anti-virus and sandboxing systems because they're unable to analyze encrypted files.
  • Using legitimate free web hosting sites for command-and-control infrastructureC&C servers are a potential pitfall for attackers as investigators can often identify attackers using registration details for the C&C server obtained via freely available tools such as whois and PassiveTotal.  Free web hosting sites, on the other hand, require little or no registration information.  Operation BugDrop uses a free web-hosting site to store the core malware module that gets downloaded to infected victims.  In comparison, the Groundbait attackers registered and paid for their own malicious domains and IP addresses.

"There's been a lot of cyber activity in the Ukraine – but what makes this one stand out is its scale and the amount of human and logistical resources required to analyze such massive amounts of unstructured stolen data.  Clearly, these cyber-operatives know what they're doing," said Nir Giller, CTO, CyberX.  "To prevent theft of corporate intellectual property and disruption of production operations, organizations of all types need to implement better detection of targeted attacks like these.  Continuous monitoring of both IT and OT networks, and ongoing access to actionable threat intelligence, are two fundamental building blocks for modern cyberdefense."

About CyberX
Founded in 2013 by IDF cyber experts, CyberX provides the most widely deployed platform for securing industrial control systems (ICS).  The CyberX platform combines continuous, non-invasive vulnerability monitoring and advanced behavioral analytics with proprietary ICS-specific threat intelligence. This enables critical infrastructure and industrial organizations to immediately detect risk and mitigate risk, including targeted threats and industrial malware in their Operational Technology (OT) networks.

CyberX has racked up numerous awards and industry accolades including being named a  "Cool Vendor" by Gartner.  CyberX is also the only industrial cybersecurity vendor selected for the SINET16 Innovator Award sponsored by the US DHS and DoD, and the only ICS security vendor recognized by the International Society of Automation (ISA).

An active member of the Industrial Internet Consortium (IIC) and the ICS-ISAC, CyberX also provides groundbreaking ICS threat intelligence research that was recently featured in the popular McGraw-Hill book series, "Hacking Exposed ICS." For more information visit CyberX-Labs.com.

Media Contact:
Elizabeth Safran
Looking Glass Public Relations
408-348-1214 (cell)
[email protected]

To view the original version on PR Newswire, visit:http://www.prnewswire.com/news-releases/cyberx-discovers-operation-bugdrop-a-large-scale-cyber-reconnaissance-operation-targeting-ukrainian-organizations-300408969.html

SOURCE CyberX

More Stories By PR Newswire

Copyright © 2007 PR Newswire. All rights reserved. Republication or redistribution of PRNewswire content is expressly prohibited without the prior written consent of PRNewswire. PRNewswire shall not be liable for any errors or delays in the content, or for any actions taken in reliance thereon.

Latest Stories
Regardless of what business you’re in, it’s increasingly a software-driven business. Consumers’ rising expectations for connected digital and physical experiences are driving what some are calling the "Customer Experience Challenge.” In his session at @DevOpsSummit at 20th Cloud Expo, Marco Morales, Director of Global Solutions at CollabNet, will discuss how organizations are increasingly adopting a discipline of Value Stream Mapping to ensure that the software they are producing is poised to o...
This talk centers around how to automate best practices in a multi-/hybrid-cloud world based on our work with customers like GE, Discovery Communications and Fannie Mae. Today’s enterprises are reaping the benefits of cloud computing, but also discovering many risks and challenges. In the age of DevOps and the decentralization of IT, it’s easy to over-provision resources, forget that instances are running, or unintentionally expose vulnerabilities.
In order to meet the rapidly changing demands of today’s customers, companies are continually forced to redefine their business strategies in order to meet these needs, stay relevant and continue to see profitable growth. IoT deployment and development is integral in this transformation, and today businesses are increasingly seeing the value of investing their resources into IoT deployments. These technologies are able increase ROI through projects such as connecting supply chains or enabling sm...
Interested in leveling up on your Cloud Foundry skills? Join IBM for Cloud Foundry Days on June 7 at Cloud Expo New York at the Javits Center in New York City. Cloud Foundry Days is a free half day educational conference and networking event. Come find out why Cloud Foundry is the industry's fastest-growing and most adopted cloud application platform.
With major technology companies and startups seriously embracing Cloud strategies, now is the perfect time to attend @CloudExpo | @ThingsExpo, June 6-8, 2017, at the Javits Center in New York City, NY and October 31 - November 2, 2017, Santa Clara Convention Center, CA. Learn what is going on, contribute to the discussions, and ensure that your enterprise is on the right path to Digital Transformation.
Most DevOps journeys involve several phases of maturity. Research shows that the inflection point where organizations begin to see maximum value is when they implement tight integration deploying their code to their infrastructure. Success at this level is the last barrier to at-will deployment. Storage, for instance, is more capable than where we read and write data. In his session at @DevOpsSummit at 20th Cloud Expo, Josh Atwell, a Developer Advocate for NetApp, will discuss the role and value...
Multiple data types are pouring into IoT deployments. Data is coming in small packages as well as enormous files and data streams of many sizes. Widespread use of mobile devices adds to the total. In this power panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, panelists will look at the tools and environments that are being put to use in IoT deployments, as well as the team skills a modern enterprise IT shop needs to keep things running, get a handle on all this data, and deli...
SYS-CON Events announced today that SoftLayer, an IBM Company, has been named “Gold Sponsor” of SYS-CON's 18th Cloud Expo, which will take place on June 7-9, 2016, at the Javits Center in New York, New York. SoftLayer, an IBM Company, provides cloud infrastructure as a service from a growing number of data centers and network points of presence around the world. SoftLayer’s customers range from Web startups to global enterprises.
In his opening keynote at 20th Cloud Expo, Michael Maximilien, Research Scientist, Architect, and Engineer at IBM, will motivate why realizing the full potential of the cloud and social data requires artificial intelligence. By mixing Cloud Foundry and the rich set of Watson services, IBM's Bluemix is the best cloud operating system for enterprises today, providing rapid development and deployment of applications that can take advantage of the rich catalog of Watson services to help drive insigh...
Cloud applications are seeing a deluge of requests to support the exploding advanced analytics market. “Open analytics” is the emerging strategy to deliver that data through an open data access layer, in the cloud, to be directly consumed by external analytics tools and popular programming languages. An increasing number of data engineers and data scientists use a variety of platforms and advanced analytics languages such as SAS, R, Python and Java, as well as frameworks such as Hadoop and Spark...
Cloud promises the agility required by today’s digital businesses. As organizations adopt cloud based infrastructures and services, their IT resources become increasingly dynamic and hybrid in nature. Managing these require modern IT operations and tools. In his session at 20th Cloud Expo, Raj Sundaram, Senior Principal Product Manager at CA Technologies, will discuss how to modernize your IT operations in order to proactively manage your hybrid cloud and IT environments. He will be sharing bes...
IBM helps FinTechs and financial services companies build and monetize cognitive-enabled financial services apps quickly and at scale. Hosted on IBM Bluemix, IBM’s platform builds in customer insights, regulatory compliance analytics and security to help reduce development time and testing. In his session at 20th Cloud Expo, Tom Eck, Industry Platforms CTO at IBM Cloud, will discuss how these tools simplify the time-consuming tasks of selection, mapping and data integration, allowing developers ...
Existing Big Data solutions are mainly focused on the discovery and analysis of data. The solutions are scalable and highly available but tedious when swapping in and swapping out occurs in disarray and thrashing takes place. The resolution for thrashing through machine learning algorithms and support nomenclature is through simple techniques. Organizations that have been collecting large customer data are increasingly seeing the need to use the data for swapping in and out and thrashing occurs ...
SYS-CON Events announced today that delaPlex will exhibit at SYS-CON's @CloudExpo, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. delaPlex pioneered Software Development as a Service (SDaaS), which provides scalable resources to build, test, and deploy software. It’s a fast and more reliable way to develop a new product or expand your in-house team.
For financial firms, the cloud is going to increasingly become a crucial part of dealing with customers over the next five years and beyond, particularly with the growing use and acceptance of virtual currencies. There are new data storage paradigms on the horizon that will deliver secure solutions for storing and moving sensitive financial data around the world without touching terrestrial networks. In his session at 20th Cloud Expo, Cliff Beek, President of Cloud Constellation Corporation, w...