Palo Alto Networks’ Unit 42 announced that it had discovered that the cyber espionage group, known as Tick, had targeted a specific type of secure USB drive created by a South Korean defence company. The USB drive and its management system have various features to follow security guidelines in South Korea. Ofer Maor, Director of Solutions Management at Synopsys commented below.

Ofer Maor, Director Of Solutions Management at Synopsys:

“This form of attack is designed to target networks separated from the internet (aka “air gapped” systems), where there is no possibility of hacking through traditional network-based attack vectors. As air gapped systems eventually need to communicate with the outside world to get updates, provide status reports, etc., the data to and from these networks is usually done using USB drives/sticks. By creating a malware that can propagate via USB sticks, the attackers are able to take advantage of “connectivity” of the network, and deploy the Trojan.

Judging by the specific exploits of the fairly old operating systems used, it’s quite apparent that this is a very targeted attack, looking to take over a specific target. Oftentimes air gapped networks (and older software) are a sign of some sort of critical infrastructure industrial control system (such as power plants, nuclear reactors, electricity grids, etc.). This is a very similar to the technique used to attack the centrifuges in Iran with Stuxnet, which was also air gapped.

Organisations that use air gapped networks should make sure to have a very secure, well filtered and well controlled process for data transfer. Unfortunately many organisations feel that since the network is “air gapped” then it is secure, and do not employ sufficient protection around the input and output from their staff using USB drives. Moreover, as we can see from such weaponised attacks, being air-gapped is *not* a guarantee against attacks, and organisations must therefore employ all standard security practices internally as well.

In many cases, we discover that air-gapped networks have almost no security procedures in place such as continuous patching, compartmentalisation, and other common practices. Again, this comes from the notion that it is already “secure”.”

Much like any other type of exploit, various logging and alerting techniques can be used to identify exploits attempting to conduct malicious activity inside your organisation. Recent developments in the field of deception also allow the planting of decoy targets in your network to attract such attacks and identify when they take place.”