An espionage group that has been around for at least five years and likely backed by a nation state ended up discovered by two research groups.
Symantec and Kaspersky Lab researchers came up with different names for the group, but they agree it is an advanced persistent threat (APT) organization focused on stealthly exfiltrating information.
Symantec calls the group Strider, while Kaspersky called it ProjectSauron.
Evidence of espionage group activity goes back to at least 2011. Within that period, the group targeted at least 30 organizations around the world in Russia, China, Sweden, Belgium, Iran, Rwanda, and Italy.
The complexity of the malware used, the fact it remained hidden for so long, the targeted organizations (government and military entities, embassies, telecoms, scientific research centers), and the nature of the data collected and exfiltrated all point to a state-backed attack group. The researchers, however, are not sure which nation.
“The actor behind ProjectSauron is very advanced, comparable only to the top-of-the-top in terms of sophistication: alongside Duqu, Flame, Equation, and Regin. Whether related or unrelated to these advanced actors, the ProjectSauron attackers have definitely learned from them,” Kaspersky researchers said in a post.
“ProjectSauron implements a modular architecture using its own virtual file system to store additional modules (plugins) and a modified Lua interpreter to execute internal scripts,” the researchers found.
Remsec (as Symantec researchers dubbed the attack framework) is great at keeping a low profile.
“Several of its components are in the form of executable blobs (Binary Large Objects), which are more difficult for traditional antivirus software to detect. In addition to this, much of the malware’s functionality is deployed over the network, meaning it resides only in a computer’s memory and is never stored on disk,” Symantec said in a post.
Symantec also published more technical details about the various modules, as well as indicators of compromise and YARA rules.
The malware implants and the infrastructure used to attack each target organizations end up customized, and never used again, researchers said.
“The actor behind ProjectSauron has a high interest in communication encryption software widely used by targeted governmental organizations. It steals encryption keys, configuration files, and IP addresses of the key infrastructure servers related to the encryption software,” Kaspersky researchers said.
If anyone things unplugging from the network and becoming an island unto itself would be effective, think again. The attack group can steal information from air gapped systems and networks via specially-crafted USB storage drives that hide exfiltrated data in a custom-encrypted partition and aren’t blocked by many Data Loss Prevention solutions.
But the researchers believe that this approach is seldom used.
The espionage group also uses a number of other data exfiltration and communication methods, including widely used and well known protocols.
The C&C domain and server infrastructure used for the attacks is always different, to prevent creating patterns and minimize the researchers’ ability to track the group’s activities.