Espionage platform extracts government comms data; Kaspersky Labs
Researchers have uncovered ProjectSauron, a threat which personalises the way it attacks each individual target
In 2015, researchers from Kaspersky Lab flagged up an unusual feature in a client's network which led them to "ProjectSauron", a threat with cyber-espionage motives.
ProjectSauron works by gaining access to encrypted communications by using an advanced modular cyber-espionage platform that incorporates customised tools and techniques for each victim and avoids reusing patterns.
This approach, coupled with multiple routes for the exfiltration of stolen data, such as legitimate email channels and DNS, enables ProjectSauron to conduct secretive, long-term spying campaigns in target networks.
ProjectSauron gives the impression of being an experienced and traditional actor that has put considerable effort into learning from other extremely advanced actors, including Duqu, Flame, Equation and Regin.
Vitaly Kamluk, principal security researcher at Kaspersky Lab, said: "A number of targeted attacks now rely on low-cost, readily-available tools. ProjectSauron, in contrast, is one of those that relies on homemade, trusted tools and customisable scripted code. The single use of unique indicators, such as control server, encryption keys and more, in addition to the adoption of cutting edge techniques from other major threat actors, is rather new.
"The only way to withstand such threats is to have many layers of security in place, based on a chain of sensors monitoring even the slightest anomaly in organisational workflow, multiplied with threat intelligence and forensic analysis to hunt for patterns even when there appear to be none."
ProjectSauron's tools comprise of actively searching for information related to fairly rare, custom network encryption software, such as voice, email and document exchange. ProjectSauron makes use of specially-prepared USB drives to jump across air-gapped networks. These USB drives carry hidden compartments in which stolen data is concealed. Furthermore, it implements a number of routes for data exfiltration, including legitimate channels such as email and DNS, with stolen information copied from the victim disguised in day-to-day traffic.
To date, more than 30 organisations have fallen victim and have been identified in Russia, Iran and Rwanda, plus according to Kaspersky Lab's findings the organisations are typically government, military, scientific research centres, telecom operators and financial organisations.
Forensic analysis indicates that ProjectSauron has been operational since June, 2011 and remains active in 2016.