Attacks from hackers are multifaceted, but a great deal of prepping for attacks involve reconnaissance. These information gathering sessions are vital for threat actors as they can reveal the most sensitive access points, vital data locations, and much more. Take this idea and amplify it to the point where numerous vital elements to society are being reconned by one powerful group of black hats and you get Operation BugDrop.
Operation BugDrop has been actively studied by the cybersecurity firm CyberX. In a recent blog post by the company, the methods and targets of Operation BugDrop were detailed. The cyber-reconnaissance operation is currently targeting at least 70 organizations in “critical infrastructure, media, and scientific research.” Examples of these organizations include newspapers, engineering companies responsible for power infrastructure like gas pipelines, and non-governmental organization such as those involved in human rights. According to CyberX, the operation seeks “audio recordings of conversations, screen shots, documents, and passwords.”
The bulk of these targets are based in Ukraine, specifically in the separatist states of Donetsk and Luhansk. This information is key to unraveling the intentions of Operation BugDrop as the Ukranian government has designated these states as terrorist organizations. Operation BugDrop’s resources have been shown to be powerful and well-financed in a manner that only a nation-state would be able to pull off.
The main attack method begins with spear phishing emails or macros in Microsoft Office documents that have been infected. Upon taking the bait, there are a few ways Operation BugDrop seeks out data. One method is eavesdropping via a device’s microphone through infection of the hardware it utilizes. Another method is taking a page out of Stuxnet’s book by bypassing the Windows API security verification through Reflective DLL Injection.
Once the data is collected, it is uploaded to Dropbox for data exfiltration. With roughly 3GB of data uploaded each day, it is safe to assume that there is, as CyberX states, “massive back-end infrastructure to store, decrypt and analyze several GB per day of unstructured data that is being captured from its targets.” They also note that “a large team of human analysts is also required to manually sort through captured data and process it manually and/or with Big Data-like analytics.” This only testifies further to the theory that a nation-state is behind the recon ops, as there are simply too many moving parts for this to be the work of a private hacking collective.
There is not enough information to suggest that possibly the Ukranian government or its allies like the United States are involved. However with the pro-Russia ties of Donetsk and Luhansk, and especially the neo-McCarthyist paranoia currently sweeping governmental and corporate media organizations in America, I’m led toward the direction of possible involvement by the U.S. government or its proxies. This is simply conjecture though, but it should be noted that, besides the separatist states of Donetsk and Luhansk, Operation BugDrop has also targeted organizations in Russia, Saudi Arabia, and Austria.
Whoever these guys are, they are powerful, dangerous, and must be monitored.