30 More Victims Pinned On Highly Selective Cyberespionage Group

Kaspersky Lab says newly discovered threat actor ProjectSauron -- called Strider by Symantec -- has hit organizations in Russia, Rwanda, Iran, and Italian-speaking nations.

A cyber espionage group that has been operating covertly since at least June 2011 had its cover blown this week by two security vendors, both of whom said they discovered the group’s activity from malware samples submitted to them by their respective customers.

Kaspersky Lab, which has dubbed the group ProjectSauron, described it as a sophisticated nation-state threat actor targeting state organizations. The group has been using a different set of attack tools for each victim making its activities almost impossible to spot using traditional indicators of compromise, the vendor said.

The core payloads used by ProjectSauron to exfiltrate data from victim networks are customized for individual targets and are never used again in other attacks. “This approach, coupled with multiple routes for the exfiltration of stolen data, such as legitimate email channels and DNS, enables ProjectSauron to conduct secretive, long-term spying campaigns in target networks,” the Kaspersky Lab said in an alert Monday.

Kaspersky Lab said it has discovered at least 30 organizations in Russia, Rwanda and Iran that appear to have been victimized by ProjectSauron so far. There’s a good chance that many others are affected as well, including some in Italian-speaking countries, it said. The group’s victims have mostly tended to be government organizations, the military, scientific research centers, telecom operators, and financial services providers.

There are several aspects about ProjectSauron’s modus operandi that are noteworthy, according to Kaspersky Lab. In addition to using highly customized core implants, ProjectSauron also leverages legitimate software update scripts to download new modules or execute malicious command entirely in memory.

The operators of ProjectSauron have also shown a tendency to go after the systems and infrastructure that organizations use to encrypt communications, voice, email, and document exchanges. “The attackers are particularly interested in encryption software components, keys, configuration files, and the location of servers that relay encrypted messages between the nodes.”

Significantly, the group has used specially modified USB drives to try and infect air-gapped systems—or systems that are not directly connected to the Internet. The drives have typically contained secret compartments for hiding stolen data, Kaspersky Lab said without offering any explanation on how ProjectSauron operatives might have tricked victim organizations into using the rogue drives on air-gapped systems.

Kaspersky Lab did not respond to a request for comment on the issue.

Symantec, which was the other vendor to issue an alert on the threat actor this week, described it as a fairly advanced cyber espionage group. “This assessment is based in part by their malware, selective targeting, and their ability to go undetected for so long,” says Jon DiMaggio, Sr. Threat Intelligence Analyst for Symantec Security Response.

The Strider group, which is Symantec’s name for ProjectSauron, is noteworthy for its use of a sophisticated malware tool called Remsec that appears designed primarily for cyber espionage.

“The Remsec malware created and used by Strider is fairly unique in its use of executable [Binary Large Objects] and use of Lua modules which is not what we typically see with espionage malware,” DiMaggio says. The only malware with similar functionality that has been seen previously is an espionage tool called Flamer, he said.

Strider appears to have the technical capability and funding to develop custom malware capable of gaining remote access to infected systems, capturing keystrokes and adding new functionality quickly, he says. “The modular design may also be a sign that the attacker wanted to ensure there was flexibility built into their malware to add future capabilities without a major re-write of code,” DiMaggio said.

Symantec said it has found evidence of Strider infections in a total of just 36 computers across seven organizations in Belgium, China, Russia and Sweden so far. But that is most likely only because the group has been highly selective of the targets it has gone after so far, DiMaggio says.

“Based on the sophistication of Strider operations and malware it is more likely that their operations are based on selective targeting as opposed to the group struggling to successfully compromise intended targets,” he says. The fact that the group has gone undetected for years suggests that Strider is an advanced group that plans out its operations and executes with specific objectives in mind, DiMaggio said.

Related stories:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading: