Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:40 PM
Connect Directly

30 More Victims Pinned On Highly Selective Cyberespionage Group

Kaspersky Lab says newly discovered threat actor ProjectSauron -- called Strider by Symantec -- has hit organizations in Russia, Rwanda, Iran, and Italian-speaking nations.

A cyber espionage group that has been operating covertly since at least June 2011 had its cover blown this week by two security vendors, both of whom said they discovered the group’s activity from malware samples submitted to them by their respective customers.

Kaspersky Lab, which has dubbed the group ProjectSauron, described it as a sophisticated nation-state threat actor targeting state organizations. The group has been using a different set of attack tools for each victim making its activities almost impossible to spot using traditional indicators of compromise, the vendor said.

The core payloads used by ProjectSauron to exfiltrate data from victim networks are customized for individual targets and are never used again in other attacks. “This approach, coupled with multiple routes for the exfiltration of stolen data, such as legitimate email channels and DNS, enables ProjectSauron to conduct secretive, long-term spying campaigns in target networks,” the Kaspersky Lab said in an alert Monday.

Kaspersky Lab said it has discovered at least 30 organizations in Russia, Rwanda and Iran that appear to have been victimized by ProjectSauron so far. There’s a good chance that many others are affected as well, including some in Italian-speaking countries, it said. The group’s victims have mostly tended to be government organizations, the military, scientific research centers, telecom operators, and financial services providers.

There are several aspects about ProjectSauron’s modus operandi that are noteworthy, according to Kaspersky Lab. In addition to using highly customized core implants, ProjectSauron also leverages legitimate software update scripts to download new modules or execute malicious command entirely in memory.

The operators of ProjectSauron have also shown a tendency to go after the systems and infrastructure that organizations use to encrypt communications, voice, email, and document exchanges. “The attackers are particularly interested in encryption software components, keys, configuration files, and the location of servers that relay encrypted messages between the nodes.”

Significantly, the group has used specially modified USB drives to try and infect air-gapped systems—or systems that are not directly connected to the Internet. The drives have typically contained secret compartments for hiding stolen data, Kaspersky Lab said without offering any explanation on how ProjectSauron operatives might have tricked victim organizations into using the rogue drives on air-gapped systems.

Kaspersky Lab did not respond to a request for comment on the issue.

Symantec, which was the other vendor to issue an alert on the threat actor this week, described it as a fairly advanced cyber espionage group. “This assessment is based in part by their malware, selective targeting, and their ability to go undetected for so long,” says Jon DiMaggio, Sr. Threat Intelligence Analyst for Symantec Security Response.

The Strider group, which is Symantec’s name for ProjectSauron, is noteworthy for its use of a sophisticated malware tool called Remsec that appears designed primarily for cyber espionage.

“The Remsec malware created and used by Strider is fairly unique in its use of executable [Binary Large Objects] and use of Lua modules which is not what we typically see with espionage malware,” DiMaggio says. The only malware with similar functionality that has been seen previously is an espionage tool called Flamer, he said.

Strider appears to have the technical capability and funding to develop custom malware capable of gaining remote access to infected systems, capturing keystrokes and adding new functionality quickly, he says. “The modular design may also be a sign that the attacker wanted to ensure there was flexibility built into their malware to add future capabilities without a major re-write of code,” DiMaggio said.

Symantec said it has found evidence of Strider infections in a total of just 36 computers across seven organizations in Belgium, China, Russia and Sweden so far. But that is most likely only because the group has been highly selective of the targets it has gone after so far, DiMaggio says.

“Based on the sophistication of Strider operations and malware it is more likely that their operations are based on selective targeting as opposed to the group struggling to successfully compromise intended targets,” he says. The fact that the group has gone undetected for years suggests that Strider is an advanced group that plans out its operations and executes with specific objectives in mind, DiMaggio said.

Related stories:


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-26
IBL Online Weather before 4.3.5a allows unauthenticated reflected XSS via the redirect page.
PUBLISHED: 2020-02-26
IBL Online Weather before 4.3.5a allows unauthenticated eval injection via the queryBCP method of the Auxiliary Service.
PUBLISHED: 2020-02-26
IBL Online Weather before 4.3.5a allows attackers to obtain sensitive information by reading the IWEBSERVICE_JSONRPC_COOKIE cookie.
PUBLISHED: 2020-02-25
ISPConfig before 3.1.15p3, when the undocumented reverse_proxy_panel_allowed=sites option is manually enabled, allows SQL Injection.
PUBLISHED: 2020-02-25
VDSM and libvirt in Red Hat Enterprise Virtualization Hypervisor (aka RHEV-H) 7-7.x before 7-7.2-20151119.0 and 6-6.x before 6-6.7-20151117.0 as packaged in Red Hat Enterprise Virtualization before 3.5.6 when VSDM is run with -spice disable-ticketing and a VM is suspended and then restored, allows r...