Security researchers at ESET have published an in-depth analysis of over a dozen malicious frameworks (some dating back as far as 15 years) designed to target air-gapped networks. The research shows that all of them are designed to perform some sort of espionage, all use USB drives and all target Microsoft Windows exclusively.
Air-gapping (or disconnected network) is a network security measure employed on one or more computers to ensure that a secure computer network is physically isolated from unsecured networks, such as the public Internet or an unsecured local area network. This means that the only way to transfer data between the outside world and the air-gapped system is by connecting a physical device to it, such as USB flash drives or external hard disks.
ESET says that four previously unknown malicious frameworks were detected in the first half of 2020 alone bringing the total number of such tools to 17.
“We can state without fear of contradiction that threat actors behind the known malware frameworks designed to attack air-gapped networks all belong to the advanced persistent threat (APT) category. Despite the variety of threat actors behind these frameworks, all of them shared a common purpose: espionage,” the report reads.
Some of the frameworks were previously attributed with high confidence to nation-state threat actors, such as DarkHotel (the Retro and Ramsay frameworks), Sednit (USBStealer), Tropic Trooper (USBFerry), Equation Group (Fanny), Goblin Panda (USBCulprit), and Mustang Panda (PlugX). However, for others (Stuxnet, Flame, miniFlame, Gauss, ProjectSauron, Agent.BTZ, and USBThief) attribution has not been as straightforward.
ESET’s report also mentions three toolkits (EZCheese, Emotional Simian, and Brutal Kangaroo) found in documentation from the Vault7 leaks, which reportedly were in operation in a time range from 2013 to 2016, but researchers said they did not find any samples in the wild.
The researchers discovered a variety of similarities between frameworks - all of them are designed to target Windows systems, and the majority of them (75%) rely on malicious LNK or autorun files on USB drives for initial compromise or lateral movement.
"All frameworks have devised their own ways, but they all have one thing in common: with no exception, they all used weaponized USB drives. The main difference between connected and offline frameworks is how the drive is weaponized in the first place," ESET notes.
The researchers separated the analyzed frameworks into two categories - connected and offline. The connected frameworks use fully remote end-to-end connectivity between the attacker and the compromised systems on the air-gapped side, while “offline” scenario does not involve any internet-connected systems, and, instead, requires the presence of an operator or collaborator on the ground to compromise targeted systems via a malicious USB drive.
“Discovering and analyzing this type of framework poses unique challenges. They sometimes are composed of multiple components that all have to be analyzed together in order to have the complete picture of how the attacks are really being carried out,” ESET said.
“Understanding how malware attacks air-gapped networks can help identify and prioritize detection and protection mechanisms. For example, we saw how all frameworks relied on USB drives one way or the other to spy on air-gapped systems, and none of them used any other type of covert communication channels against which TEMPEST restrictions would need to be implemented.”