The Framingham-based Internet security firm CyberX said it has spotted a new weapon in the ongoing cyberwar between Russia and Ukraine — a program called BugDrop that is being used to steal vast amounts of sensitive data from Ukrainian businesses and institutions.
“It looks very professional ... and most important, very successful,” said CyberX co-founder Nir Giller, a former engineer for the Israel Defence Forces cybersecurity unit.
Ukraine is already believed to be the target of a massive cyberwarfare campaign run by Russia, which annexed the Ukrainian territory of Crimea in 2014 and has been involved in a tense military standoff with Ukraine ever since.
In 2015, an electrical outage cut power to 230,000 Ukrainian homes in what US authorities concluded was the world’s first successful hack of a nation’s electrical grid. A similar attack in late December 2016 cut power to a large part of the Ukrainian capital, Kiev.
In BugDrop, attackers are using booby-trapped Microsoft Word documents to get inside computer systems and copy vital data, according to CyberX. The infected machines record all keystrokes, take screenshots of the monitor, and even activate the computer’s microphone to record voices. All the data is encrypted and sent to a Dropbox account.
Giller estimated that BugDrop has collected up to 3 gigabytes of data per day since it was launched, probably last year.
More than 70 organizations have been hit by BugDrop, including two Ukrainian newspapers, a company that makes oil and gas pipeline equipment, a company that designs water systems and electrical substations, and an international human rights organization.
CyberX researchers also found infected computers in Russia, Austria, and Saudi Arabia.
CyberX has not identified the perpetrators but noted that since BugDrop attackers would need ample resources, the attack could be state-sponsored. But they don’t know which state is behind it. Some of the targets are in regions of Ukraine dominated by pro-Russia separatists, leading Phil Neray, CyberX vice president of industrial cybersecurity, to question whether Moscow or Kiev is behind the BugDrop operation.Hiawatha Bray can be reached at firstname.lastname@example.org. Follow him on Twitter @GlobeTechLab.