#OperationBugDrop. Ukrainian Media & Scientist’s Microphone Hijacked. 600GB Data Exfiltrated

Cyber Espionage, What the Hack

#BugDrop. An advanced malware-based operation has been uncovered that ex-filtrated over 600 GB data from about 70 targets in Ukraine. The malicious operation targeted Ukraine’s various sectors including critical infrastructure, media, and scientific research.
Operation BugDrop

Uncovered by threat intelligence firm CyberX, the operation has been named “Operation BugDrop,” as it eavesdrops on sensitive conversations by remotely controlling PC microphones and uses Dropbox to store stolen data.

The uncovered operation uses malware to capture audio recordings of conversations, screenshots, documents, and passwords.

“Operation BugDrop is a well-organized operation that employs sophisticated malware and appears to be backed by an organization with substantial resources,” the CyberX researchers asserted in the research post.

While most of the targets are located in the Ukraine, there are also few targets in Russia and a smaller number of targets in Saudi Arabia and Austria.

According to CyberX, BugDrop’s targets include;
1. A company that designs remote monitoring systems for oil and gas pipelines
2. An international organization that monitors human rights, counter-terrorism, and computer attacks on Ukrainian critical infrastructure
3. An engineering company that designs electrical substations, gas distribution pipelines, and water supply plants
4. A scientific research institute
5. Editors of Ukrainian newspapers

The hackers used the traditional phishing email to spread their malicious work to the targets. The targets are initially infected using malicious macro embedded Microsoft Word documents. Once compromised successfully, infected machines then upload the captured audio and data to Dropbox, where it’s extracted by the attackers. 

Fig: High-level view of malware architecture (CyberX)

The BugDrop may be termed a sophisticated attack for various reasons;

  1. The BigDrop used Dropbox for storing exfiltrated data because Dropbox traffic is typically not blocked or monitored by corporate firewalls.
  2. To make Command and Control communication more authentic, the BugDrop operator used legitimate websites for command-and-control infrastructure.
  3. The BugDrop encrypts DLLs in windows file system that avoids detection by traditional anti-virus and sandboxing systems.

CyberX researchers avoided naming any specific country behind the attack but said Operation BugDrop was almost surely the work of a government with nearly limitless resources.