Four different malicious frameworks designed to attack air-gapped networks were detected in the first half of 2020 alone, bringing the total number of such toolkits to 17 and offering adversaries a pathway to cyber espionage and exfiltrate classified information.
“All frameworks are designed to perform some form of espionage, [and] all the frameworks used USB drives as the physical transmission medium to transfer data in and out of the targeted air-gapped networks,” ESET researchers Alexis Dorais-Joncas and Facundo Muñoz said in a comprehensive study of the frameworks.
Air-gapping is a network security measure designed to prevent unauthorized access to systems by physically isolating them from other unsecured networks, including local area networks and the public internet. This also implies that the only way to transfer data is by connecting a physical device to it, such as USB drives or external hard disks.
Given that the mechanism is one of the most common ways SCADA and industrial control systems (ICS) are protected, APT groups that are typically sponsored or part of nation-state efforts have increasingly set their sights on the critical infrastructure in hopes of infiltrating an air-gapped network with malware so as to surveil targets of interest.
Primarily built to attack Windows-based operating systems, the Slovak cybersecurity firm said that no fewer than 75% of all the frameworks were found leveraging malicious LNK or AutoRun files on USB drives to either carry out the initial compromise of the air-gapped system or to move laterally within the air-gapped network.
Some frameworks that have been attributed to well-known threat actors are as follows —
- Retro (DarkHotel aka APT-C-06 or Dubnium)
- Ramsay (DarkHotel)
- USBStealer (APT28 aka Sednit, Sofacy, or Fancy Bear)
- USBFerry (Tropic Trooper aka APT23 or Pirate Panda)
- Fanny (Equation Group)
- USBCulprit (Goblin Panda aka Hellsing or Cycldek)
- PlugX (Mustang Panda), and
- Agent.BTZ (Turla Group)
“All frameworks have devised their own ways, but they all have one thing in common: with no exception, they all used weaponized USB drives,” the researchers explained. “The main difference between connected and offline frameworks is how the drive is weaponized in the first place.”
While connected frameworks work by deploying a malicious component on the connected system that monitors the insertion of new USB drives and automatically places in them the attack code needed to poison the air-gapped system, offline frameworks like Brutal Kangaroo, EZCheese, and ProjectSauron rely on the attackers deliberately infecting their own USB drives to backdoor the targeted machines.
That said, covert transmission of data out of air-gapped environments without USBs being a common thread remains a challenge. Although a number of methods have been devised to stealthily siphon highly sensitive data by leveraging Ethernet cables, Wi-Fi signals, the computer’s power supply unit, and even changes in LCD screen brightness as novel side-channels, in-the-wild attacks exploiting these techniques has yet to be observed.
As precautions, organizations with critical information systems and sensitive information are recommended to prevent direct email access on connected systems, disable USB ports and sanitize USB drives, restrict file execution on removable drives, and carry out periodic analysis of air-gapped systems for any signs of suspicious activity.
“Maintaining a fully air gapped system comes with the benefits of extra protection,” Dorais-Joncas said. “But just like all other security mechanisms, air gapping is not a silver bullet and does not prevent malicious actors from preying on outdated systems or poor employee habits.”