Attackers are spreading a cyber espionage campaign in Ukraine by spying on PC microphones in order to secretly listen to private conversations and store stolen data on Dropbox. Dubbed Operation BugDrop, the attack has targeted critical infrastructure, media, and scientific researchers.
Cybersecurity firm CyberX confirmed the attacks, saying Operation BugDrop has hit at least 70 victims across Ukraine. According to CyberX, the cyber espionage operation started no later than June 2016 up to present. The company said:
The operation seeks to capture a range of sensitive information from its targets including audio recordings of conversations, screen shots, documents and passwords. Unlike video recordings, which are often blocked by users simply placing tape over the camera lens, it is virtually impossible to block your computer’s microphone without physically accessing and disabling the PC hardware.
Targets and methods
Some examples of Operation BugDrop’s targets include:
- A company that designs remote monitoring systems for oil & gas pipeline infrastructures.
- An international organization that monitors human rights, counter-terrorism and cyberattacks on critical infrastructure in the Ukraine.
- An engineering company that designs electrical substations, gas distribution pipelines, and water supply plants.
- A scientific research institute.
- Editors of Ukrainian newspapers.
More specifically, the attack targeted victims in Ukraine’s separatist states of Donetsk and Luhansk. In addition to Dropbox, the attackers are also using the following advanced tactics:
- Reflective DLL Injection, an advanced technique for injecting malware that was also used by BlackEnergy in the Ukrainian grid attacks and by Duqu in the Stuxnet attacks on Iranian nuclear facilities. Reflective DLL Injection loads malicious code without calling the normal Windows API calls, thereby bypassing security verification of the code before its gets loaded into memory.
- Encrypted DLLs, thereby avoiding detection by common anti-virus and sandboxing systems because they’re unable to analyze encrypted files.
- Legitimate free web hosting sites for its command-and-control infrastructure. C&C servers are a potential pitfall for attackers as investigators can often identify attackers using registration details for the C&C server obtained via freely-available tools such as whois and PassiveTotal. Free web hosting sites, on the other hand, require little or no registration information. Operation BugDrop uses a free web hosting site to store the core malware module that gets downloaded to infected victims. In comparison, the Groundbait attackers registered and paid for their own malicious domains and IP addressees.
According to CyberX, Operation BugDrop heavily mimics Operation Groundbait which was discovered in May 2016 targeting pro-Russian individuals.