In the first half of 2020, four new malicious frameworks designed to attack air-gapped networks were discovered, raising the total number of such toolkits to 17, and providing adversaries with a mechanism to conduct cyber espionage and exfiltrate confidential information.
ESET Researchers Alexis Dorais-Joncas and Facundo Muñoz said in a comprehensive study of the frameworks, “All frameworks are designed to perform some form of espionage, [and] all the frameworks used USB drives as the physical transmission medium to transfer data in and out of the targeted air-gapped networks,”
Air-gapping is a network security measure that physically isolates systems from other unsecured networks, such as local area networks and the internet, to prevent unauthorized access. This also means that the only way to transmit data is to connect a physical device, such as a USB drive or an external hard disks, to it.
Since the mechanism is one of the most common ways to protect SCADA and Industrial Control Systems (ICS), APT groups that are typically sponsored or part of nation-state efforts have increasingly targeted critical infrastructure in the hopes of infiltrating an air-gapped network with malware in order to spy on targets of interest.
The following are some of the frameworks that have been linked to well-known threat actors
Retro (DarkHotel aka APT-C-06 or Dubnium), Ramsay (DarkHotel), USBStealer (APT28 aka Sednit, Sofacy, or Fancy Bear), USBFerry (Tropic Trooper aka APT23 or Pirate Panda), Fanny (Equation Group), USBCulprit (Goblin Panda aka Hellsing or Cycldek), PlugX (Mustang Panda), and Agent.BTZ (Turla Group).
The researchers explained “All frameworks have devised their own ways, but they all have one thing in common: with no exception, they all used weaponized USB drives,”
“The main difference between connected and offline frameworks is how the drive is weaponized in the first place.”
Mitigation
While connected frameworks work by installing a malicious component on the connected system that monitors the insertion of new USB drives and automatically places the attack code needed to compromise the air-gapped system, offline frameworks such as Brutal Kangaroo, EZCheese, and ProjectSauron rely on attackers infecting their own USB drives to backdoor the targeted machine.
Organizations with critical information systems and sensitive information can prevent direct email access on connected systems, disable USB ports and sanitize USB drives, restrict file execution on removable drives, and conduct periodic analysis of air-gapped systems for any signs of suspicious activity as a precaution.