Large-scale hacking with sophisticated tactics, techniques and procedures are the order of the day — as was also witnessed in reports about the alleged Russian hack during the US elections — and now hackers are using built-in PC microphones to hack their way into corporate and personal data files.
Christened as ‘Operation BugDrop’, the hackers behind the attack have secured scores of gigabytes of sensitive data from about 70 organisations and individuals in Ukraine.
These include editors of several Ukranian newspapers, a scientific research institute, organisations that are associated with human rights monitoring, counter-terrorism, cyber attacks, oil, gas and water supply — in Russia, Saudi Arabia, Ukraine and Austria.
According to a report by cyber security firm CyberX, “the operation seeks to capture a range of sensitive information from its targets including audio recordings of conversations, screenshots, documents and passwords.”
Hackers have started using microphones as a way of accessing target data because, while it’s easy to block video recordings by simply placing a tape over the webcam, disabling your system’s microphone requires you to unplug the hardware physically.
A lot of these hacks were conducted in self-declared separatist states of Donetsk and Luhansk — indicating a government influence in these attacks, especially since these two states have been classified as terrorist outfits by the Ukranian government.
The hackers use Dropbox for data theft as the cloud service’s traffic typically remains unblocked by corporate firewalls and the traffic flowing through it isn’t monitored as well.
“Operation BugDrop infects its victims using targeted email phishing attacks and malicious macros embedded in Microsoft Office attachments. It also uses clever social engineering to trick users into enabling macros if they aren’t already enabled,” CyberX states.
An Example of How Macro Virus Attack Works
Taking the case in point, CyberX found out this malicious Word document that was loaded with Macro virus, which usually goes undetected by more than 90 percent of the anti-virus software in the market.
Until macros — briefly: bits of computer codes — are enabled on your PC, the programme auto-runs and replace codes in your PC with malicious codes.
In case, macros are disabled on the target PC, — a Microsoft security feature which by default disables all macro codes on a Word doc — the malicious Word document opens up a dialogue box as depicted in the image above.
The text on the image above reads: “Attention! The file was created in a newer version of Microsoft Office programs. You must enable macros to correctly display the contents of a document.”
As soon as a user enables the command, malicious macro codes replace codes on your PC, infect other files on the system and give remote access to the attacker — as seen in the case in point.
How and What Information was Collected by Hackers
Hackers, in this case, used an array of plugins to steal data after gaining remote access to the target devices.
The plugins included file collector, which looks for multitudes of file extensions and uploads them to Dropbox; USB file collector, which locates and stores files from an attached USB drive on the infected device.
Other than these file collectors, browser data collecting plugin which steals login credentials and other sensitive data stored in the browser, a plugin to collect computer data including IP address, name and address of the owner and more were used in the attack.
In addition to all this, the malware also gave hackers access to the target device’s microphone, which enables audio recordings — saved for perusal in the Dropbox storage of the attacker.
While no damage has been done to the targets in Operation BugDrop, CyberX points out that ‘identifying, locating and performing reconnaissance on targets is usually the first phase of operations with broader objectives.’
Once these details are gathered and uploaded to the attacker’s Dropbox account, it’s downloaded on the other end and deleted from the cloud — leaving no trace of the transacting information.
While the most simple way to safeguarding you from macro virus attacks is not turning off Microsoft Office’s default setting for Macro commands and not giving in to requests by prompts (as discussed above).
If there is a dire need to enable macro settings, ensure that the Word document comes from a trusted source — a person or an organisation.
On an organisational level, to defend against such attacks, systems should be put in use which can detect anomalies in their IT and OT networks at an early stage. Companies can also imply behavioural analytics algorithms which help detect unauthorised activities in the network.
An action plan to defend against such virus should be in place too — in order to avert the danger and avoid losing sensitive data if an attack is executed.
The report concluded that while there is no hard proof that the hackers were hired by a government agency.
But given the sophistication of the attack, there is no doubt that the hackers needed a significant staff to go through the stolen data as well as storage space for all the data collected — indicating they were either very rich or received financial backing from a government or non-government institution.
While a majority of these attacks were conducted in Ukraine, it’s safe to say that these attacks can be conducted in any country depending on vested interests of the hackers or the people hiring them to gain access to sensitive data.