Project Sauron only recently discovered, after five years!! The jewel in the crown of state-sponsored malware?
Project Sauron is based on a past state-sponsored malware to attack Government agencies, military organizations, telecom firms, and financial institutions. Project Sauron is a newly-discovered player in the world of state-sponsored malware, following in the footsteps of Flame, Duqu and Regin
Clearly coded by a Tolkien-fan, Project Sauron catches the attention for not only seemingly surviving under the radar for five years but – as Ars Technica reports – for its apparent interest in air-gapped computers
The malware may have been designed by a state-sponsored group. It can disguise itself as benign files and does not operate in predictable ways, making it harder to detect. Experts from Kaspersky Lab and Symantec said it allows the attacker to spy on infected computers.
In September last year, Kaspersky first detected the malware on an unspecified “government organization” network. Since then, the firm claims to have found evidence of Project Sauron at more than 30 organizations in Russia, Iran and Rwanda. These were generally government, scientific, services, telecoms and financial organizations, according to Kaspersky.
Separately, Symantec said it had found the malware in other countries, counting at an airline in China and an embassy in Belgium.
Project Sauron is able to disguise itself in a wide variety of ways – as files with names similar to those published by organizations like Microsoft, for example, and does not always use the same methods for sending data back to the attacker.
The malware can steal files, log all keystrokes and open a “back door” allowing wide-ranging access to the compromised computer, according to Symantec.
Project Sauron did not share any code with other known examples of similarly powerful malware, said Kaspersky’s director of threat research Costin Raiu. “It really stands out by itself as something very, very sophisticated,” he told the BBC.
Project Sauron may have been made by a state-sponsored hacker group, researchers believe. Mr Raiu also pointed out that two of the malware’s victims had been infected with other highly sophisticated malicious programs. One victim was found to have Regin spyware on their systems, for example.
One aspect of Project Sauron that demonstrates the malware’s sophistication is its ability to steal insightful data – such as encryption keys – from computers that are not really connected to the internet. This is known as “jumping the air-gap”.
For this, Project Sauron relies on an infected USB drive being inserted into the target computer. A hidden cache of files on the drive is then able to deposit malware on to that PC.
Part of what makes Project Sauron so impressive is its ability to collect data from air-gapped computers. To do this, it uses specially prepared USB storage drives that have a virtual file system that isn’t viewable by the Windows operating system. To infected computers, the removable drives appear to be approved devices, but behind the scenes are several hundred megabytes reserved for storing data that is kept on the air-gapped machines. The arrangement works even against computers in which data-loss prevention software blocks the use of unknown USB drives.
Kaspersky researchers still aren’t sure precisely how the USB-enabled exfiltration works. The presence of the invisible storage area doesn’t in itself allow attackers to seize control of air-gapped computers. The researchers suspect the capability is used only in rare cases and requires use of a zero-day exploit that has yet to be discovered. In all, Project Sauron is made up of at least 50 modules that can be mixed and matched to suit the objectives of each individual infection.
Project Sauron is characteristic of state-sponsored style malware, according to cybersecurity expert Graham Cluley. “These are very stealthy, insidious attacks that can lurk in the background for years gathering information,” he told the BBC. “We have seen the steady progression and evolution of these sorts of attacks. As governments try to protect themselves and get clued up, it is essentially an arms race.”