Safe Air Gaps Not Protected

Monday, November 17, 2014 @ 10:11 AM gHale


Even if a true air gap exists, there is one group that figured out how to steal data from these “isolated” systems.

Removing the information from the closed circuit could occur through removable storage devices used in the web-free environment and on computers with an Internet connection.

RELATED STORIES
Espionage Program 10 Years Old
BlackEnergy: Analyzing an ICS Threat
BlackEnergy Targets Linux, Routers
ICS Targeted in Malware Campaign

Espionage group Sednit, also known as Sofacy and APT28, has been relying on this component since at least 2005, said security researchers at ESET.

The tool, detected as Win32/USBStealer, has seen action against governmental organizations in Eastern Europe, said ESET malware researcher Joan Calvet.

The method of stealing information is simple: A targeted attack compromises an Internet facing system, which ends up infected with a dropper tool designed to add USBStealer to a removable storage device known to connect to the desired air-gapped computer.

The attacker’s instructions for the main target also end up passed this way between the two systems, and the attacker uses the same method to pull the information from the isolated machine.

For the attack to work, the auto-run function in Windows has to be in action, Calvet said. One issue is the auto-run feature ended up turned off through an update from Microsoft in August 2009.

The catch is, however, air-gapped machines should be unreachable from the outside and do not benefit from regular updates like the Microsoft fix in 2009. Furthermore, ESET said the malware has been in use for at least four years before the hotfix.

The USB drive infection routine consists in dropping the threat on the device under the name of USBGuard.exe and a custom Autorun.inf file is a part of the mix, with a configuration that ensures the execution of the malware when double clicking on the drive or when accessing the first option in the right click menu.

The Sednit group devised a method to signal an infected air-gapped computer that a removable drive connected to it ended up triggered on a compromised machine with Internet access. This occurs through the presence of a specific file on the storage drive.

USBStealer exfiltrates keyrings of the PGP application for desktops and files used by cryptographic tools to store generated keys, researchers said.

On the same note, a predefined list of items also indicates the type of data it should copy. Every location of the computer scans except for folders belonging to some antivirus products.

When the malware reaches the air-gapped system for the first time, it runs a reconnaissance mission and does not collect any data. Instead, it gathers the name of the computer and groups the targeted files in a single location.

When it plugs into a machine with Internet access, it would report the findings and receive new instructions via a different tool. The exfiltration takes place in subsequent connections to the isolated computer.

In reaching its goal, Sednit employs multiple tools capable of sending and receiving instructions, ESET said. These end up planted on the outside system, which is under their control.



Leave a Reply

You must be logged in to post a comment.