Nir Giller, co-founder and CTO of cybersecurity firm, CyberX, suspects that Russia is behind new malware that has been found lying in wait in key infrastructure, banks, media, and scientific research sites throughout Ukraine. However, a member of CyberX contacted me and indicated that they have no direct evidence that this is true.
The main purpose of this new malware, dubbed, BugDrop, is reconnaissance. It is designed to turn on the microphones of specifically targeted devices so as to let the operators listen in on sensitive conversations. The conversations are saved as sound files and then surreptitiously uploaded to Dropbox. Although eavesdropping seems to be its main purpose, the malware is also capable of scanning computers/devices for documents, passwords, and grabbing screenshots. Since there is no way for the malware to determine which conversations are valuable and which are not, it appears to require a large network of humans who can analyze the immense amount of uploaded data coming in from numerous sources. This requirement for human support, with the expense that this would incur, plus the sophistication of the malware indicate that it must have been developed and deployed by a nation-state.
The real sophistication in this malware is in the methods it uses to remain undetected. Here are some of the ways CyberX discovered BugDrop uses to remains hidden.
In addition, the malware encrypted the file in which all of the stolen data was stored, so, if found, it could not be identified.
Keep in mind that much malware only needs to infect one device, such as a smartphone, to spread throughout a network. To no surprise, the initial infection begins with a well-designed phishing email which includes an appropriately named Microsoft Office document as an attachment. However, when the victim tries to open the document, they receive what appears to be a legitimate message which looks like this.
The message is in Russian, but translates as, “The file was created in a newer version of Microsoft Office programs. You must enable macros to correctly display the contents of the document”. If the victim subsequently enables macros, as suggested, the malware is released.
It may not seem as if this malware is very threatening. After all, the malware developers only seem to have a network of reconnaissance devices. No harm seems to have been done. However, it is well-known that reconnaissance is the first stage of a more serious attack, such as the attack that took down part of the Ukrainian power grid in December, 2015. In other words, the attackers have a far more sinister goal in mind and, given the extent of the surveillance, whatever the attack will be, it is sure to be highly organized, precisely targeted, and extensive. It is probably being planned as you read this. With that, let me introduce BlackEnergy and Telebots.
It is quite clear that if an all out cyber attack occurs, it will probably be based on the malware that brought down part of the Ukrainian power grid in 2015, BlackEnergy 3. BlackEnergy has been around for a while, but its newer models come with Stuxnet-like capabilities as they can target any computer-dependent industrial controls that, for example, are necessary for the proper operation of most machinery. Although the latest malware found in the infrastructure has been named Telebots, ESET, the cybersecurity firm that discovered it, believes it to be just another upgrade of BlackEnergy.
Similar to the attack vector outlined above, the Telebots group uses spearphishing email with a fake Microsoft Excel document as the malware-releasing attachment. The malware can compromise other computers not connected to the internet by employing a tunneling tool. They can also, when they are finished with their attack, employ KillDisk, which is basically a hard drive erasing tool. It can be set to begin its destruction at a particular date or to target particular files. Look at it this way. If you wanted to disrupt a network, you would first steal all the important data that you could, then, you could make the computers operating that network, or machinery connected to it, unusable.
To begin the attack, the reconnaissance performed with BugDrop would be analyzed to discover the weak points in the target country’s infrastructure. The subsequent attack would simultaneously bring down those weak points in a specified manner, the purpose of which would be to spread chaos. Needless to say, since many institutions and businesses are interconnected and, thus, dependent on one another, the attackers would not have to infect all aspects of the country’s infrastructure with malware to bring the entire nation to the point of complete collapse, but the developers probably already know this.
The assault on the Ukrainian power grid in 2015 can be considered as a test; a proof of concept. The fact that that test succeeded led to phase two; a comprehensive reconnaissance program. The final assault, phase three, will likely use an even more sophisticated malware which can be installed by initiating an upgrade of pre-existing malware already residing in the infrastructure. It is important to note that the Telebots malware contains an automatic malware updater. In my opinion, the chaos resulting from a full scale cyber attack would most likely be coordinated with, phase 4, the final, physical, military assault. Under these conditions, the ensuing battle would be overwhelmingly one-sided.
But Ukraine will not give up without a fight. They have some of the best hackers of all shades, and some of them have probably used BlackEnergy as a template to develop infrastructure-destroying malware of their own. In other words, a serious infrastructure attack on Ukraine will probably trigger a counterattack against Russia. Did the Russian trial cyber attack in 2015 trigger a counterattack? It’s possible. According to one source, Russia suffered a 50% increase in cyber attacks on power companies in 2016, with 350 total attempts. The US government is also getting nervous. They are also preparing for an infrastructure attack, and, in anticipation of it, they have invested $4 million in the Chess Master Project aimed at protecting critical infrastructure. Tests of Ukraine’s response capabilities may continue to ramp up to the point at which Russia may feel enough confidence to launch a more serious attack. If an attack occurs, other nations may be wittingly or unwittingly drawn into it. This is why the situation must be closely monitored. I will update this post if more information becomes available.