Nir Giller, co-founder and CTO of CyberX said that Operation BugDrop is extracting 2.5 to 3 gigabytes from each infected computer per day. Right now, he said that it appears that the Russian hackers are working against Ukraine under specific direction, but he said that it’s not clear exactly who is ultimately behind the attack. Giller noted, however, that all indications are that the malware was created in Russia, however.
“It’s highly targeted,” Giller said, explaining that it’s aimed at critical infrastructure and the media.
Giller said that an operation such as BugDrop usually starts with a period of surveillance which may last up to six months. This is how the hackers determine who they want to attack and exactly how to go about the attack so that it’s most effective. “They have a specific goal,” he added.
Giller explained that the Russians monitored the Ukrainian power grid for six months before they brought it down in December 2015. One reason he thinks it’s the Russian government is because of the resources required to process the massive amount of data that’s being taken from the Ukraine. He also said that the level of sophistication required to create this malware shows ability to access vast resources.
While it appears the primary target of Operation BugDrop is Ukraine, there’s already some activity in Saudi Arabia and other places. Giller explained that this malware and reconnaissance malware can be used to attack anywhere, including in the U.S.
He said that the best way to determine whether a network has been compromised is to monitor the outgoing traffic for signs of exfiltration. In this case, it’s many gigabytes of data going to Dropbox daily.
While the target for the exfiltration could change to some other public cloud service, it still has to take place for the malware to do its job. He stressed that network monitoring is critical for spotting it. Once spotted Giller said that there are measures that an organization can take to get rid it, including locating the registry key and running an anti-malware package that can find it.
But it’s important to note that just because the attack is currently going on against the Ukraine, that’s no reason to think that it can’t happen here. Giller explained that the only thing needed is the motivation.
As soon as whoever is behind the attacks decides to start another attack, it could just as easily be the United States or a European Union country. Considering how poorly protected some critical infrastructure is in the U.S. and elsewhere, such an attack would surely succeed.