CyberespionageSophisticated espionage platform covertly extracts encrypted government communications

Published 11 August 2016

Kaspersky Lab announced the other day that its researchers have discovered what they described as a “nation-state threat actor” — named ProjectSauron — who was targeting state organizations. “The cost, complexity, persistence, and ultimate goal of the operation, stealing confidential and secret information from state-sensitive organizations, suggest the involvement or support of a nation state,” Kaspersky Lab says. ProjectSauron “gives the impression of being an experienced and traditional actor who has put considerable effort into learning from other extremely advanced actors,” and “ adopting some of their most innovative techniques and improving on their tactics in order to remain undiscovered.”

Kaspersky Lab announced the other day that its Anti-Targeted Attack Platform flagged an unusual feature in a client’s network, which led the company’s researchers to discover a what they described as a “nation-state threat actor” who was targeting state organizations. This threat actor, named ProjectSauron, uses a unique set of tools for each victim, making traditional indicators of compromise almost useless, and appears to be focused primarily on cyber-espionage.

Kaspersky Lab says that in September 2015, the company’s product flagged an anomaly in the network of a client organization. This anomaly unveiled ProjectSauron, a threat actor which is particularly interested in gaining access to encrypted communications, hunting them down using an advanced modular cyber-espionage platform that incorporates a set of unique tools and techniques. The most noteworthy feature of ProjectSauron’s tactics is the deliberate avoidance of patterns; ProjectSauron customizes its implants and infrastructure for each individual target, and never reuses them. This approach, coupled with multiple routes for the exfiltration of stolen data, such as legitimate e-mail channels and DNS, enables ProjectSauron to conduct secretive, long-term spying campaigns in target networks.

Key features
Kaspersky Lab says that ProjectSauron tools and techniques of particular interest include:

  • Unique footprint: Core implants that have different file names and sizes and are individually built for each target — making it very difficult to detect since the same basic indicators of compromise would have little value for any other target.
  • Running in memory: The core implants make use of legitimate software update scripts and work as backdoors, downloading new modules or running commands from the attacker purely in memory.
  • A bias towards crypto-communications:ProjectSauron actively searches for information related to fairly rare, custom network encryption software. This client-server software is widely adopted by many of the target organizations to secure communications, voice, e-mail, and document exchange. The attackers are particularly interested in encryption software components, keys, configuration files, and the location of servers that relay encrypted messages between the nodes.
  • Script-based flexibility:ProjectSauron has implemented a set of low-level tools which are orchestrated by high-level LUA scripts. The use of LUA components in malware is very rare - it has previously only been spotted in the Flame and Animal Farm attacks.
  • Bypassing air-gaps:ProjectSauron makes use of specially-prepared USB drives to jump across air-gapped networks. These USB drives carry hidden compartments in which stolen data is concealed.