Espionage group Sednit has a tool in its arsenal that helps exfiltrate data from machines isolated from the Internet (air-gapped).

Removing the information from the closed circuit would be done through removable storage devices used both in the web-free environment and on computers with an Internet connection.

The hackers are also known under the name of Sofacy and APT28, and security researchers at ESET believe they have been relying on this particular malicious component since at least 2005.

Attack does not work if Autorun is turned off

According to ESET malware researcher Joan Calvet, the tool, detected as Win32/USBStealer by the company’s products, has been employed against governmental organizations in Eastern Europe.

The method of stealing information is simple: a targeted attack compromises an Internet facing system, which is infected with a dropper tool designed to add USBStealer to a removable storage device known to connect to the desired air-gapped computer.

The attacker’s instructions for the main target are also passed this way between the two systems, and the same method is used for gleaning information from the isolated machine.

Calvet notes that, for the attack to work, the auto-run function in Windows has to be enabled. This has been turned off through an update from Microsoft in August 2009, specifically because of this sort of risk.

However, air-gapped machines are generally considered unreachable from the outside and do not benefit from regular updates. Furthermore, ESET believes that the malware has been in use for at least four years before the hotfix.

Malware looks for specific files to exfiltrate

The USB drive infection routine consists in dropping the threat on the device under the name of USBGuard.exe and a custom Autorun.inf file is added, with a configuration that ensures the execution of the malware when double clicking on the drive or when accessing the first option in the right click menu.

Sednit hacker group devised a method to signal an infected air-gapped computer that a removable drive connected to it has been used on a machine with Internet access that has already been compromised. This is done through the presence of a specific file on the storage drive.

According to the researchers, USBStealer exfiltrates keyrings of the PGP application for desktops and files used by cryptographic tools to store generated keys.

On the same note, a predefined list of items also indicates the type of data to be copied. Every location of the computer is scanned for these files, save for folders belonging to some antivirus products, ESET Smart among them.

Stealing the data occurs in later stages of the attack

Interestingly, when the malware reaches the air-gapped system for the first time, it runs some sort of reconnaissance mission and does not collect any data. Instead, it gathers the name of the computer and groups the targeted files in a single location.

When it is plugged on a machine with Internet access, it would report the findings and receive new instructions via a different tool. The exfiltration is carried out in subsequent connections to the isolated computer.

In reaching its goal, Sednit employs multiple tools capable of sending and receiving instructions, ESET asserts. These are planted on the outside system, which is under their control.