Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/9/2016
06:40 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

30 More Victims Pinned On Highly Selective Cyberespionage Group

Kaspersky Lab says newly discovered threat actor ProjectSauron -- called Strider by Symantec -- has hit organizations in Russia, Rwanda, Iran, and Italian-speaking nations.

A cyber espionage group that has been operating covertly since at least June 2011 had its cover blown this week by two security vendors, both of whom said they discovered the group’s activity from malware samples submitted to them by their respective customers.

Kaspersky Lab, which has dubbed the group ProjectSauron, described it as a sophisticated nation-state threat actor targeting state organizations. The group has been using a different set of attack tools for each victim making its activities almost impossible to spot using traditional indicators of compromise, the vendor said.

The core payloads used by ProjectSauron to exfiltrate data from victim networks are customized for individual targets and are never used again in other attacks. “This approach, coupled with multiple routes for the exfiltration of stolen data, such as legitimate email channels and DNS, enables ProjectSauron to conduct secretive, long-term spying campaigns in target networks,” the Kaspersky Lab said in an alert Monday.

Kaspersky Lab said it has discovered at least 30 organizations in Russia, Rwanda and Iran that appear to have been victimized by ProjectSauron so far. There’s a good chance that many others are affected as well, including some in Italian-speaking countries, it said. The group’s victims have mostly tended to be government organizations, the military, scientific research centers, telecom operators, and financial services providers.

There are several aspects about ProjectSauron’s modus operandi that are noteworthy, according to Kaspersky Lab. In addition to using highly customized core implants, ProjectSauron also leverages legitimate software update scripts to download new modules or execute malicious command entirely in memory.

The operators of ProjectSauron have also shown a tendency to go after the systems and infrastructure that organizations use to encrypt communications, voice, email, and document exchanges. “The attackers are particularly interested in encryption software components, keys, configuration files, and the location of servers that relay encrypted messages between the nodes.”

Significantly, the group has used specially modified USB drives to try and infect air-gapped systems—or systems that are not directly connected to the Internet. The drives have typically contained secret compartments for hiding stolen data, Kaspersky Lab said without offering any explanation on how ProjectSauron operatives might have tricked victim organizations into using the rogue drives on air-gapped systems.

Kaspersky Lab did not respond to a request for comment on the issue.

Symantec, which was the other vendor to issue an alert on the threat actor this week, described it as a fairly advanced cyber espionage group. “This assessment is based in part by their malware, selective targeting, and their ability to go undetected for so long,” says Jon DiMaggio, Sr. Threat Intelligence Analyst for Symantec Security Response.

The Strider group, which is Symantec’s name for ProjectSauron, is noteworthy for its use of a sophisticated malware tool called Remsec that appears designed primarily for cyber espionage.

“The Remsec malware created and used by Strider is fairly unique in its use of executable [Binary Large Objects] and use of Lua modules which is not what we typically see with espionage malware,” DiMaggio says. The only malware with similar functionality that has been seen previously is an espionage tool called Flamer, he said.

Strider appears to have the technical capability and funding to develop custom malware capable of gaining remote access to infected systems, capturing keystrokes and adding new functionality quickly, he says. “The modular design may also be a sign that the attacker wanted to ensure there was flexibility built into their malware to add future capabilities without a major re-write of code,” DiMaggio said.

Symantec said it has found evidence of Strider infections in a total of just 36 computers across seven organizations in Belgium, China, Russia and Sweden so far. But that is most likely only because the group has been highly selective of the targets it has gone after so far, DiMaggio says.

“Based on the sophistication of Strider operations and malware it is more likely that their operations are based on selective targeting as opposed to the group struggling to successfully compromise intended targets,” he says. The fact that the group has gone undetected for years suggests that Strider is an advanced group that plans out its operations and executes with specific objectives in mind, DiMaggio said.

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15058
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.
CVE-2020-15059
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to bypass authentication via a web-administration request that lacks a password parameter.
CVE-2020-15060
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to conduct persistent XSS attacks by leveraging administrative privileges to set a crafted server name.
CVE-2020-15061
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to denial-of-service the device via long input values.
CVE-2020-15062
PUBLISHED: 2020-08-07
DIGITUS DA-70254 4-Port Gigabit Network Hub 2.073.000.E0008 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.