ProjectSauron: In September of 2015, the platform Aunt-Targeted Attack of Kaspersky Lab highlighted an unusual feature on an organization's network.
This "anomaly" has led researchers to reveal ProjectSauron, a threatening organization with national / state support, attacking government agencies, using a unique set of tools for each victim, making traditional tampering indicators virtually useless.
The target of the attacks appears to be mainly digital espionage.
ProjectSauron focuses on gaining access to encrypted communications using an advanced modular digital espionage platform that incorporates a host of unique tools and techniques. The most notable feature of ProjectSauron is deliberate avoidance of behavioral patterns.
ProjectSauron adapts its "implants" and infrastructure to each individual target and never reuses them. This approach, coupled with multiple paths for rendering stolen data, such as legitimate email and DNS channels, enables ProjectSauron to conduct secret, long-term espionage campaigns on target networks.
ProjectSauron gives the impression that whoever is behind it is an experienced and traditional player who has made significant efforts to study other highly advanced actors such as Duqu, Flame, Equation and Regin, adopting some of their most innovative techniques and improving their tactics in order to remain hidden.
The tools and techniques of ProjectSauron that are of particular interest are:
- Unique footprint: Its basic implants have different file names and sizes and are separately made for each target, making it very difficult to locate them, since the same key violation indices would be of little value for any other purpose.
- Using memory: Basic implants make use of legitimate scripts used for software updates and act as backdoors, downloading new sections or "running" commands from the attacker into a system's memory.
- Tilt to encrypted communications: ProjectSauron actively seeks out information related to fairly rare and custom network encryption software. This clienterver software has been widely adopted by many of the target organizations to ensure communications, voicemail, email, and document sharing. Attackers are particularly interested in encrypting software components, keys, configuration files, and the location of servers that transmit encrypted messages between nodes in a network.
- Flexibility based on use script: ProjectSauron has implemented a number of low-level tools, orchestrated by high-level LUA scripts. The use of LUA components in malware is very rare. Previously, it was detected only in the Flame and Animal Farm attacks.
- Bypassing network isolation solutions: ProjectSauron makes use of specially prepared USB drives to penetrate isolated networks. These USB units hide the segments in which the stolen data is hidden.
- Multiple data extraction mechanisms: ProjectSauron implements a series of paths to collect data, including legitimate channels, such as email and DNS. Thus, stolen information copied by the victim is "masquerading" in the daily workflow.
Geographical spread and victim profiles
To date, more than 30 victim organizations have been identified in Russia, Iran and Rwanda, and may also be victims in some Italian-speaking countries. Kaspersky Lab believes that many more organizations and geographic areas are likely to be affected.
Based on Kaspersky Lab's analysis, target organizations generally play a key role in providing government services and include:
- Government agencies
- Military organizations
- Scientific Research Centers
- Telecommunication providers
- Financial institutions
Digital forensic analysis shows that ProjectSauron has started operating since June of 2011 and 2016 remains active. The original "infection" tool used by ProjectSauron remains unknown, in order to penetrate the networks of its victims.
"Many targeted attacks are now based on low-cost and readily available tools. ProjectSauron, by contrast, is one of those organizations that rely on improvised, reliable tools and customizable code. Related news is the use of unique indexes, such as the control server, encryption keys and more, in addition to adopting advanced techniques from other major threat players.
The only way to cope with these threats is to have multiple levels of security based on a sensor chain that will even track the slightest "anomaly" in the workflow. This should be enhanced by providing information on security threats and forensic analysis procedures to identify patterns of behavior, even when they appear to be absent, "said Vitaly Kamluk, Principal Security Researcher of Kaspersky Lab.
Based on the cost, complexity, persistence and ultimate goal of the business, that is to say, the interception of confidential and confidential information by sensitive state agencies, it constitutes the involvement or support of a state.
Kaspersky Lab security experts recommend that organizations scrutinize their computer networks and terminals and implement the following measures:
- Introduce an anti-targeted attack solution, which will work alongside a new or existing terminal protection solution. By itself, a solution to protect the terminals is not enough to withstand the new generation of threatening actors.
- Ask experts if any abnormality in their technology infrastructure is identified. The most advanced security solutions will be able to detect an attack, even when it happens, security professionals are sometimes the only ones that can effectively prevent, mitigate and analyze major attacks.
- Complete the above measures with information services in relation to threats. Thus, the executives of organizations responsible for digital security will be fully informed of the latest developments in the landscape of threats, trends in digital attacks and signs to be observed.
- Since many major attacks start with spear-phishing or some other approach to employees, organizations have to make sure their staff understands and adopts responsible digital behaviors.
The full report for ProjectSauron is already available to Kaspersky Lab APT Intelligence's information service customers. More information is available at: http://www.kaspersky.com/enterprise-security/apt-intelligence-reporting.
The violation indicators and YARA rules are available.
All Kaspersky Lab products detect ProjectSauron threats, codenamed HEUR: Trojan.Multi.ProjectSauron.gen.
More information about ProjectSauron is available on a dedicated blogpost, at Securelist.com.