Cyber espionage campaign against Ukraine used PC microphones to eavesdrop on sensitive discussions

Seventy government, infrastructure and scientific research establishments all compromised

A cyber espionage campaign against government, infrastructure and scientific research targets in Ukraine activated PC microphones in order to surreptitiously eavesdrop on sensitive conversations.

That is the claim of CyberX Labs, an Israel-based security company in research released last week. CyberX claims that "at least" 70 organisations were successfully targeted in the campaign, which it dubbed "Operation Bugdrop".

"The operation seeks to capture a range of sensitive information from its targets including audio recordings of conversations, screen shots, documents and passwords. Unlike video recordings, which are often blocked by users simply placing tape over the camera lens, it is virtually impossible to block your computer's microphone without physically accessing and disabling the PC hardware," claimed CyberX in a research note.

Most of the targets of the campaign have been found in Ukraine, with some in Russia, and a small number in Saudi Arabia and Austria. "Many targets are located in the self-declared separatist states of Donetsk and Luhansk, which have been classified as terrorist organisations by the Ukrainian government," added CyberX.

Ukrainian newspaper editors, an engineering company designing electrical substations, gas distribution pipelines and water supply plants, a company designing remote monitoring systems for the oil and gas industries, and an organisation monitoring human rights and cyber-attacks on critical infrastructure in Ukraine were all found to have been targeted.

The organisation claimed that Dropbox was used for exfiltration of data because Dropbox traffic is typically no blocked or monitored by corporate firewalls.

Other features included:

• Reflective DLL Injection - a technique for injecting malware that was also used by BlackEnergy in the Ukrainian grid attacks and by Duqu in the Stuxnet attacks on Iranian nuclear facilities. This method loads malicious code without calling the normal Windows API calls, thereby bypassing security verification of the code before its gets loaded into memory;
• Encrypted DLLs - this avoids detection by common anti-virus and sandboxing systems because they are unable to analyse encrypted files;
• Using legitimate free web hosting sites for command-and-control infrastructure to avoid leaving clues to identification.

The malware was propogated via phishing attacks bearing Microsoft Office attachments with embedded malicious macros.

In all, the attackers are estimated to have exfiltrated some 600 gigabytes of data from the 70 targets.