A new study of 17 malware frameworks shows threat actors always use USB drives to sneak malware into air-gapped environments and then steal data from there.

6 Min Read
Modern USB Flash drive on laptop keyboard
Source: KsanderDN via Shutterstock

Cyberattacks on air gapped systems, including the sophisticated and dangerous 2010 Stuxnet attack that crippled a uranium enrichment facility, all have one thing in common: a USB stick.

A new ESET study of 17 malware frameworks that threat actors have used over the past decade to target air-gapped systems showed every one of them used a USB drive to introduce malware into the environment and extract data from there. The security vendor found that the best defense for organizations against attacks on air-gapped systems is to restrict USB use as much as possible and to monitor them closely in situations where the devices need to be used.

"Defending air-gapped networks against cyberattacks is a very complex topic that involves several disciplines," says Alexis Dorais-Joncas, security intelligence team lead at ESET. "That being said, there is value in understanding how known [malware] frameworks operate in air-gapped environments and deriving ways to detect and block common malicious activities."

Organizations often protect their most critical business and operations systems by physically separating them — or air-gapping them — from other connected networks. The goal is to ensure that an attacker who might have gained access to the enterprise network has no way of reaching these systems through lateral movement, privilege escalation, and other methods.

Even so, there have been numerous instances over the past several years where threat actors managed to bridge the air gap and access mission-critical systems and infrastructure. The Stuxnet attack on Iran — believed to have been led by US and Israeli cybersecurity teams — remains one of the most notable examples. In that campaign, operatives managed to insert a USB device containing the Stuxnet worm into a target Windows system, where it exploited a vulnerability (CVE-2010-2568) that triggered a chain of events that eventually resulted in numerous centrifuges at Iran's Natanz uranium enrichment facility being destroyed.

Other frameworks that have been developed and used in attacks on air-gapped systems over the years include South Korean hacking group DarkHotel's Ramsay, China-based Mustang Panda's PlugX, the likely NSA-affiliated Equation Group's Fanny, and China-based Goblin Panda's USBCulprit. ESET analyzed these malware frameworks, and others that have not be specifically attributed to any group such as ProjectSauron and agent.btz. The security vendor's researchers focused specifically on facets such as malware execution mechanisms, malware functionalities within air-gapped networks for persistence, reconnaissance, and other activities and on communication and exfiltration channels.

Big Similarities
The exercise revealed some showed major similarities among all of them — including malware frameworks from as long 15 years ago. In addition to USBs being a common thread, every malware toolkit for air-gapped networks also was the handiwork of an advanced persistent threat group. All frameworks were designed to conduct espionage and to specifically target Windows devices. More than 75% of them used malicious LNK or autorun files on USB drives to initially compromise an air-gapped system or move laterally on an air-gapped network.

"The main takeaway is that the one and only point of entry ever observed into air-gapped networks is via USB drives. That’s where organizations should focus their efforts," says Dorais-Joncas. "[Organizations] should also realize that many of the 17 frameworks took advantage of one-day vulnerabilities, which are security flaws for which a patch existed at the time of exploitation," he says. This means keeping air-gapped systems up to date with the latest security fixes is important and would force the attacker to either develop or acquire suitable zero-day exploits or to use less efficient techniques, he says.

ESET found that while frameworks for attacking air-gapped networks share many similarities, the way the attacks themselves are carried out tend to fall into one of two categories: connected frameworks and offline frameworks.

Attack Categories
Connected frameworks are built to provide fully remote end-to-end connectivity over the Internet between the attacker and the compromised systems on the air-gapped side, Dorais-Joncas says. In connected framework attacks, threat actors first compromise an organization's Internet-connected systems and installs malware on them that can detect when a USB device is inserted into them. The USBs drives are weaponized with a malicious payload that gets transferred to any air-gapped system it is plugged it. The poisoned USB device conducts reconnaissance on the air-gapped systems, collects specific information from and stores it on the device. When the USB drive is put back into the compromised system on the Internet connected network the stored data is exfiltrated.

Dorais-Joncas says one potential reason why an organization might use a USB to share information between a connected network and air-gapped system is to deploy new software. 

"Imagine a system administrator downloading some software installer on his compromised connected computer, inserting a USB drive to copy the installer, and then going from one air-gapped system to another to install the software," Dorais-Joncas says.

Even with automated frameworks though, a USB device would still need to be physically shared between the Internet-connected network and air-gapped environment for the attack to work, he says. 

Some research has shown how data can be transmitted out of air-gapped environments through covert transmission — without any human involvement. But ESET said it was not able to find a single instance where this might have happened.

Offline frameworks meanwhile have no intermediary connected system. In these attacks, an operator or collaborator on the ground performs all the actions such as preparing the initial malicious USB drive and ensuring it is introduced to the air-gapped side so the payload can execute in the target environment.

"While all the initial execution vectors on the air-gapped side relied on USB drives, we noted a pretty wide variety of techniques to get malicious code to execute," Dorais-Joncas says. Some, like Stuxnet, exploited vulnerabilities that allowed automated execution of the malicious payload. In other instances, the attack framework relied on an unsuspecting user to insert a malware-laden USB into an air-gapped system and launch the code — by, for instance, getting them to open a malicious Office document on the drive.

James Bond
The last scenario is where an attacker manages to gain direct access to a target air-gapped system and uses the USB drive to deliberately install malware to steal data from it. 

"That is the James Bond scenario," Dorais-Joncas notes. "The malware would then perform its espionage activity, such as copying the desired files back to the drive, and the operator would the disconnect the drive and leave the premises." 

The malware in these kinds of attacks does not have any persistence mechanisms at all, he notes, indicating that its use would be a "hit-and-run" type of attack.

About the Author(s)

Jai Vijayan, Contributing Writer

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights