CyberX ID’s Large-Scale Cyber-Eavesdropping Operation (Audio)

CyberX, has identified a new, large-scale cyber-reconnaissance operation capable of eavesdropping on sensitive conversations by remotely controlling PC microphones – in order to surreptitiously “bug” its targets – and uses Dropbox to store exfiltrated data, CyberX has named it “Operation BugDrop.”

Operation BugDrop: Targets

CyberX has confirmed at least 70 victims that were successfully targeted by the operation in a range of sectors including critical infrastructure, media, and scientific research.

The operation seeks to capture a range of sensitive information including audio recordings of conversations, screen shots, documents and passwords.

Unlike video recordings, which are often blocked by users simply placing tape over the camera lens, it is virtually impossible to block your computer’s microphone without physically accessing and disabling the PC hardware.

Most of BugDrop’s targets were located in the Ukraine, but there are also some in Russia and a small number in Saudi Arabia and Austria.

Many targets are located in the self-declared separatist states of Donetsk and Luhansk, regions classified as terrorist organizations by the Ukrainian government.

CyberX believes the cyber-reconnaissance operation has been underway since June 2016.

BugDrop MicrosoftOffice
Users are targeted via specially crafted phishing emails and prompted to open a Microsoft Word decoy document containing malicious macros. If macros are disabled, users are presented with a dialog box prompting them to enable macros because it claims they’re using an older version of Office. The dialog box is well-designed social engineering and appears to be an authentic Microsoft Office message.

Examples of Operation BugDrop targets identified by CyberX so far include:

  • A company that designs remote monitoring systems for oil & gas pipeline infrastructures.
  • An international organization that monitors human rights, counter-terrorism and cyberattacks on critical infrastructure in the Ukraine.
  • An engineering company that designs electrical substations, gas distribution pipelines and water supply plants.
  • A scientific research institute.
  • Editors of two Ukrainian newspapers.

Operation BugDrop is a well-organized operation that employs sophisticated malware and appears to be backed by an organization with substantial resources.

In particular, the operation requires a massive back-end infrastructure to store, decrypt and analyze several Gigabytes per day of unstructured data that is being captured from its targets.

A large team of human analysts is also required to manually sort through captured data and process it manually or with Big Data-like analytics.

The operation’s Tactics, Techniques and Procedures (TTPs) are also sophisticated.

For example, it uses:

Dropbox for data exfiltration

A clever approach because Dropbox traffic is a widely used cloud service that is typically not blocked or monitored by corporate firewalls.

Reflective DLL Injection

  • An advanced technique for injecting malware that was also used by BlackEnergy in the Ukrainian grid attacks and by Duqu in the Stuxnet attacks on Iranian nuclear facilities.
  • Reflective DLL Injection loads malicious code without calling the normal Windows API calls, thereby bypassing security verification of the code before its gets loaded into memory.

Encrypted DLLs

  • Thereby avoiding detection by common anti-virus and sandboxing systems because they’re unable to analyze encrypted files.

Using legitimate free web hosting sites for command-and-control infrastructure

  • C&C servers are a potential pitfall for attackers as investigators can often identify attackers using registration details for the C&C server obtained via freely available tools such as whois and PassiveTotal.
  • Free web hosting sites, on the other hand, require little or no registration information.  Operation BugDrop uses a free web-hosting site to store the core malware module that gets downloaded to infected victims.
  • In comparison, the Groundbait attackers registered and paid for their own malicious domains and IP addresses.
Nir Giller, CTO, CyberX
Nir Giller, CTO, CyberX

“There’s been a lot of cyber activity in the Ukraine – but what makes this one stand out is its scale and the amount of human and logistical resources required to analyze such massive amounts of unstructured stolen data,” said Nir Giller, CTO, CyberX.

“Clearly, these cyber-operatives know what they’re doing.”

“To prevent theft of corporate intellectual property and disruption of production operations, organizations of all types need to implement better detection of targeted attacks like these.”

“Continuous monitoring of both IT and OT networks, and ongoing access to actionable threat intelligence, are two fundamental building blocks for modern cyberdefense.”

(Hear from Nir Giller from CyberX as he addresses ‘false sense of security” when it comes to ICS – beginning at 3:00 minutes, from the The CyberWire Podcast Jan 19 2017. Courtesy of The CyberWire and YouTube)

The full report on Operation BugDrop including Indicators of Compromise (IoCs) can be found on the CyberX blog.


CyberX provides the most widely deployed platform for securing industrial control systems (ICS).  The CyberX platform combines continuous, non-invasive vulnerability monitoring and advanced behavioral analytics with proprietary ICS-specific threat intelligence.

This enables critical infrastructure and industrial organizations to immediately detect risk and mitigate risk, including targeted threats and industrial malware in their Operational Technology (OT) networks.