There’s a newly-discovered player in the world of state-sponsored malware, following in the footsteps of Flame, Duqu and Regin: Project Sauron.
Clearly coded by a Tolkien-fan, Project Sauron catches the attention for not only seemingly surviving under the radar for five years but – as Ars Technica reports – for its apparent interest in air-gapped computers:
Part of what makes Project Sauron so impressive is its ability to collect data from air-gapped computers. To do this, it uses specially prepared USB storage drives that have a virtual file system that isn’t viewable by the Windows operating system. To infected computers, the removable drives appear to be approved devices, but behind the scenes are several hundred megabytes reserved for storing data that is kept on the air-gapped machines. The arrangement works even against computers in which data-loss prevention software blocks the use of unknown USB drives.
Kaspersky researchers still aren’t sure precisely how the USB-enabled exfiltration works. The presence of the invisible storage area doesn’t in itself allow attackers to seize control of air-gapped computers. The researchers suspect the capability is used only in rare cases and requires use of a zero-day exploit that has yet to be discovered. In all, Project Sauron is made up of at least 50 modules that can be mixed and matched to suit the objectives of each individual infection.
There are two big problems that attackers have when exfiltrating information from computers that are not connected to the internet or other accessible computer systems: how do you get your malware on the targeted air-gapped PCs, and how do you then steal the data off them?
As a recent study proved, there are some sneaky methods which can be used to increase the chances of a worker plugging in an unknown USB drive, but that doesn’t necessarily solve the challenge of avoiding detection and then successfully pilfering secrets.
Kaspersky goes on to describe how the attacks are designed to steal such sensitive information as encryption keys and passwords, as well as map out details of network infrastructure Targeted organisations include government agencies, military organisations, telecom firms, and financial institutions in Russia, Iran, China, Rwanda, Sweden, and Belgium.
An obvious question to ask is – who might be behind these attacks? And that’s one that the security firms aren’t prepared to answer (attribution is, after all, extremely complex when it comes to attacks like this).
However, I don’t think anybody would be at all surprised – given some of the notable countries in the list of targets – if the masterminds of Project Sauron were a Western power.
That shouldn’t be a surprise. The biggest shock of at all would be if any advanced intelligence agency wasn’t using the internet and malware for espionage.
It’s not just the Russians and the Chinese who are up to these kind of shenanigans…
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.