In September 2015, Kaspersky Lab’s Anti-Targeted Attack Platform flagged an unusual feature in the network of a client organisation. The anomaly led researchers to ‘ProjectSauron’, a nation-state threat actor attacking state organisations with a unique set of tools for each victim, making traditional indicators of compromise almost useless. The aim of the attacks appears to be mainly cyber-espionage.
ProjectSauron is particularly interested in gaining access to encrypted communications, hunting them down using an advanced modular cyber-espionage platform that incorporates a set of unique tools and techniques. T
According to Kaspersky Lab, the most noteworthy feature of ProjectSauron’s tactics is the deliberate avoidance of patterns: ProjectSauron customises its implants and infrastructure for each individual target, and never reuses them. This approach, coupled with multiple routes for the exfiltration of stolen data, such as legitimate email channels and DNS, enables ProjectSauron to conduct secretive, long-term spying campaigns in target networks.
The security company adds that ProjectSauron gives the impression of being an experienced and traditional actor that has put considerable effort into learning from other extremely advanced actors, including Duqu, Flame, Equation and Regin; adopting some of their most innovative techniques and improving on their tactics in order to remain undiscovered.
ProjectSauron tools and techniques of particular interest include:
* Unique footprint: Core implants that have different file names and sizes and are individually built for each target – making it very difficult to detect since the same basic indicators of compromise would have little value for any other target.
* Running in memory: The core implants make use of legitimate software update scripts and work as backdoors, downloading new modules or running commands from the attacker purely in memory.
* A bias towards crypto-communications: ProjectSauron actively searches for information related to fairly rare, custom network encryption software. This client-¬server software is widely adopted by many of the target organisations to secure communications, voice, email, and document exchange. The attackers are particularly interested in encryption software components, keys, configuration files, and the location of servers that relay encrypted messages between the nodes.
* Script-based flexibility: The ProjectSauron actor has implemented a set of low-level tools which are orchestrated by high-level LUA scripts. The use of LUA components in malware is very rare – it has previously only been spotted in the Flame and Animal Farm attacks.
* Bypassing air-gaps: ProjectSauron makes use of specially-prepared USB drives to jump across air-gapped networks. These USB drives carry hidden compartments in which stolen data is concealed.
* Multiple exfiltration mechanisms: ProjectSauron implements a number of routes for data exfiltration, including legitimate channels such as email and DNS, with stolen information copied from the victim disguised in day-to-day traffic.
To date, more than 30 victim organisations have been identified in Russia, Iran and Rwanda, and there may be some in Italian-speaking countries. Kaspersky Lab believes many more organisations and geographies are likely to be affected.
Kaspersky believes that targeted organisations generally play a key role in providing state services and include government, military, scientific research centres; telecom operators and financial organisations.
Forensic analysis indicates that ProjectSauron has been operational since June, 2011 and remains active in 2016. The initial infection vector used by ProjectSauron to penetrate victim networks remains unknown.
“A number of targeted attacks now rely on low-cost, readily-available tools. ProjectSauron, in contrast, is one of those that relies on homemade, trusted tools and customisable scripted code,” says Vitaly Kamluk, principal security researcher at Kaspersky Lab. “The single use of unique indicators, such as control server, encryption keys and more, in addition to the adoption of cutting edge techniques from other major threat actors, is rather new.
“The only way to withstand such threats is to have many layers of security in place, based on a chain of sensors monitoring even the slightest anomaly in organisational workflow, multiplied with threat intelligence and forensic analysis to hunt for patterns even when there appear to be none.”
The cost, complexity, persistence and ultimate goal of the operation appears to be stealing confidential and secret information from state-sensitive organisations, which suggests the involvement or support of a nation state.