Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/9/2016
06:40 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

30 More Victims Pinned On Highly Selective Cyberespionage Group

Kaspersky Lab says newly discovered threat actor ProjectSauron -- called Strider by Symantec -- has hit organizations in Russia, Rwanda, Iran, and Italian-speaking nations.

A cyber espionage group that has been operating covertly since at least June 2011 had its cover blown this week by two security vendors, both of whom said they discovered the group’s activity from malware samples submitted to them by their respective customers.

Kaspersky Lab, which has dubbed the group ProjectSauron, described it as a sophisticated nation-state threat actor targeting state organizations. The group has been using a different set of attack tools for each victim making its activities almost impossible to spot using traditional indicators of compromise, the vendor said.

The core payloads used by ProjectSauron to exfiltrate data from victim networks are customized for individual targets and are never used again in other attacks. “This approach, coupled with multiple routes for the exfiltration of stolen data, such as legitimate email channels and DNS, enables ProjectSauron to conduct secretive, long-term spying campaigns in target networks,” the Kaspersky Lab said in an alert Monday.

Kaspersky Lab said it has discovered at least 30 organizations in Russia, Rwanda and Iran that appear to have been victimized by ProjectSauron so far. There’s a good chance that many others are affected as well, including some in Italian-speaking countries, it said. The group’s victims have mostly tended to be government organizations, the military, scientific research centers, telecom operators, and financial services providers.

There are several aspects about ProjectSauron’s modus operandi that are noteworthy, according to Kaspersky Lab. In addition to using highly customized core implants, ProjectSauron also leverages legitimate software update scripts to download new modules or execute malicious command entirely in memory.

The operators of ProjectSauron have also shown a tendency to go after the systems and infrastructure that organizations use to encrypt communications, voice, email, and document exchanges. “The attackers are particularly interested in encryption software components, keys, configuration files, and the location of servers that relay encrypted messages between the nodes.”

Significantly, the group has used specially modified USB drives to try and infect air-gapped systems—or systems that are not directly connected to the Internet. The drives have typically contained secret compartments for hiding stolen data, Kaspersky Lab said without offering any explanation on how ProjectSauron operatives might have tricked victim organizations into using the rogue drives on air-gapped systems.

Kaspersky Lab did not respond to a request for comment on the issue.

Symantec, which was the other vendor to issue an alert on the threat actor this week, described it as a fairly advanced cyber espionage group. “This assessment is based in part by their malware, selective targeting, and their ability to go undetected for so long,” says Jon DiMaggio, Sr. Threat Intelligence Analyst for Symantec Security Response.

The Strider group, which is Symantec’s name for ProjectSauron, is noteworthy for its use of a sophisticated malware tool called Remsec that appears designed primarily for cyber espionage.

“The Remsec malware created and used by Strider is fairly unique in its use of executable [Binary Large Objects] and use of Lua modules which is not what we typically see with espionage malware,” DiMaggio says. The only malware with similar functionality that has been seen previously is an espionage tool called Flamer, he said.

Strider appears to have the technical capability and funding to develop custom malware capable of gaining remote access to infected systems, capturing keystrokes and adding new functionality quickly, he says. “The modular design may also be a sign that the attacker wanted to ensure there was flexibility built into their malware to add future capabilities without a major re-write of code,” DiMaggio said.

Symantec said it has found evidence of Strider infections in a total of just 36 computers across seven organizations in Belgium, China, Russia and Sweden so far. But that is most likely only because the group has been highly selective of the targets it has gone after so far, DiMaggio says.

“Based on the sophistication of Strider operations and malware it is more likely that their operations are based on selective targeting as opposed to the group struggling to successfully compromise intended targets,” he says. The fact that the group has gone undetected for years suggests that Strider is an advanced group that plans out its operations and executes with specific objectives in mind, DiMaggio said.

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
Preventing PTSD and Burnout for Cybersecurity Professionals
Craig Hinkley, CEO, WhiteHat Security,  9/16/2019
NetCAT Vulnerability Is Out of the Bag
Dark Reading Staff 9/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16413
PUBLISHED: 2019-09-19
An issue was discovered in the Linux kernel before 5.0.4. The 9p filesystem did not protect i_size_write() properly, which causes an i_size_read() infinite loop and denial of service on SMP systems.
CVE-2019-3738
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Improper Verification of Cryptographic Signature vulnerability. A malicious remote attacker could potentially exploit this vulnerability to coerce two parties into computing the same predictable shared key.
CVE-2019-3739
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to Information Exposure Through Timing Discrepancy vulnerabilities during ECDSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover ECDSA keys.
CVE-2019-3740
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Information Exposure Through Timing Discrepancy vulnerabilities during DSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover DSA keys.
CVE-2019-3756
PUBLISHED: 2019-09-18
RSA Archer, versions prior to 6.6 P3 (6.6.0.3), contain an information disclosure vulnerability. Information relating to the backend database gets disclosed to low-privileged RSA Archer users' UI under certain error conditions.