Home / / Espionage platform extracts government comms data; Kaspersky Labs

Espionage platform extracts government comms data; Kaspersky Labs

Researchers have uncovered ProjectSauron, a threat which personalises the way it attacks each individual target

Espionage platform extracts government comms data; Kaspersky Labs
ProjectSauron works by gaining access to encrypted communications by using an advanced modular cyber-espionage platform.

In 2015, researchers from Kaspersky Lab flagged up an unusual feature in a client's network which led them to "ProjectSauron", a threat with cyber-espionage motives.

ProjectSauron works by gaining access to encrypted communications by using an advanced modular cyber-espionage platform that incorporates customised tools and techniques for each victim and avoids reusing patterns.

This approach, coupled with multiple routes for the exfiltration of stolen data, such as legitimate email channels and DNS, enables ProjectSauron to conduct secretive, long-term spying campaigns in target networks.

ProjectSauron gives the impression of being an experienced and traditional actor that has put considerable effort into learning from other extremely advanced actors, including Duqu, Flame, Equation and Regin.

Vitaly Kamluk, principal security researcher at Kaspersky Lab, said: "A number of targeted attacks now rely on low-cost, readily-available tools. ProjectSauron, in contrast, is one of those that relies on homemade, trusted tools and customisable scripted code. The single use of unique indicators, such as control server, encryption keys and more, in addition to the adoption of cutting edge techniques from other major threat actors, is rather new.

"The only way to withstand such threats is to have many layers of security in place, based on a chain of sensors monitoring even the slightest anomaly in organisational workflow, multiplied with threat intelligence and forensic analysis to hunt for patterns even when there appear to be none."  

ProjectSauron's tools comprise of actively searching for information related to fairly rare, custom network encryption software, such as voice, email and document exchange. ProjectSauron makes use of specially-prepared USB drives to jump across air-gapped networks. These USB drives carry hidden compartments in which stolen data is concealed. Furthermore, it implements a number of routes for data exfiltration, including legitimate channels such as email and DNS, with stolen information copied from the victim disguised in day-to-day traffic.

To date, more than 30 organisations have fallen victim and have been identified in Russia, Iran and Rwanda, plus according to Kaspersky Lab's findings the organisations are typically government, military, scientific research centres, telecom operators and financial organisations.

Forensic analysis indicates that ProjectSauron has been operational since June, 2011 and remains active in 2016.

Follow us to get the most comprehensive IT solutions delivered fresh from our social media accounts on Facebook, Twitter, Youtube, and listen to our Weekly Podcast. Click here to sign up for our weekly newsletter on curated technology news in the Middle East and Worldwide.

REGISTER NOW | Webinar Event | Security you can bank on – Safeguarding the Middle East’s financial sector

Presented in partnership with security and network specialist Cybereason, the second in the three part webinar series will bring together a panel of experts to discuss how banks and financial institutions are evolving their service offering while simultaneously staying one step ahead of the cyber criminals who seek to bring their operations crashing to the ground.