Sophisticated espionage platform covertly extracts encrypted government communications

  • Multiple exfiltration mechanisms:ProjectSauron implements a number of routes for data exfiltration, including legitimate channels such as email and DNS, with stolen information copied from the victim disguised in day-to-day traffic.

Geography and victim profile
To date, more than thirty victim organizations have been identified in Russia, Iran, and Rwanda, and there may be some in Italian-speaking countries. The company believes many more organizations and geographies are likely to be affected.

Based on the company’s analysis, targeted organizations generally play a key role in providing state services and include:

  • Government
  • Military
  • Scientific research centers
  • Telecom operators
  • Financial organizations

Forensic analysis indicates that ProjectSauron has been operational since June 2011 and remains active in 2016. The initial infection vector used by ProjectSauron to penetrate victim networks remains unknown.

Forensic analysis indicates that ProjectSauron has been operational since June 2011 and remains active in 2016. The initial infection vector used by ProjectSauron to penetrate victim networks remains unknown.

“A number of targeted attacks now rely on low-cost, readily-available tools, and in contrast, ProjectSauron, is one of those that relies on homemade, trusted tools and customizable scripted code,” said Vitaly Kamluk, principal security researcher, Kaspersky Lab. “The single use of unique indicators, such as control server, encryption keys and more, in addition to the adoption of cutting edge techniques from other major threat actors, is rather new. The only way to withstand such threats is to have many layers of security in place, based on a chain of sensors monitoring even the slightest anomaly in organizational workflow, multiplied with threat intelligence and forensic analysis to hunt for patterns even when there appear to be none.”

ProjectSauron gives the impression of being an experienced and traditional actor who has put considerable effort into learning from other extremely advanced actors, including Duqu, Flame, Equation, and Regin; adopting some of their most innovative techniques and improving on their tactics in order to remain undiscovered.

The cost, complexity, persistence, and ultimate goal of the operation, stealing confidential and secret information from state-sensitive organizations, suggest the involvement or support of a nation state.

Kaspersky Lab security experts advise organizations to undertake a thorough audit of their IT networks and endpoints and to implement the following measures:

  • Introduce an anti-targeted attack solution alongside new or existing endpoint protection. Endpoint protection on its own is not enough to withstand the next generation of threat actors.
  • Call in the experts if the technology flags an anomaly. The most advanced security solutions will be able to spot an attack even as it is happening, and security professionals are sometimes the only ones who can effectively block, mitigate, and analyze major attacks.
  • Supplement the above with threat intelligence services: this will inform security teams about the latest evolution in the threat landscape, attack trends, and the signs to watch out for.
  • And last, but not least, since many major attacks start with a spear-phishing or other approach to employees, make sure that staff understand and practice responsible cyber-behavior.

See the full reporton ProjectSauron here. Indicators of compromise and YARA rules are available. Learn more about ProjectSauron at blogpost on Securelist.com.