InfoSec professionals know that most so-called Advanced Persistent Threats (APTs) are, frankly speaking, not truly APTs. But every now and then, a real persistent attack using different advanced evasive techniques emerges on the cyber threat landscape, and it’s critical for organizations to sit up and take notice. And the most recent addition to this Most Unwanted List is courtesy of a hacker group calling itself ProjectSauron.
As noted by Kapersky Lab researchers, ProjectSauron (or Strider, which is what Symantec researchers have dubbed it) is a “top-of-the-top modular cyber-espionage platform in terms of technical sophistication, designed to enable long-term campaigns through stealthy survival mechanisms coupled with multiple exfiltration methods.”
Here’s a rundown of what’s known so far about the ProjectSaurun platform, and its attack tool known as Remsec:
- Operating for at least the last 5 years – as early as June 2011, and active until April 2016
- Designed to eavesdrop on customized network encryption software used by government organizations
- Targeting specific countries and designed to collect high value intelligence by breaching as many entities as possible within a targeted area
- Victims so far include targeted organizations in Russia, Iran, Rwanda, Sweden and Belgium
- Likely the work of a nation state with a multi-million dollar budget
- Uses various malware modules aimed at stealing different types of information (e.g. email, document, voice, etc.)
- Focuses on stealing passwords and encryption keys, as well as identifying servers that utilize encrypted communications
- Uses legitimate software distribution channels to move laterally within infected networks
- Uses a modified Lua scripting engine to implement core platform and plugins, of which there are an estimated 50 different types
- Can breach air-gapped networks via a USB storage drive that stores data in an area invisible to the operating system
- Uses a wide variety of exfiltration methods, including emails and hiding data as DNS requests
Researchers from various security vendors are working to unpack ProjectSauron’s covert trail of destruction. That’s going to take a while, and as we all know, the adversaries behind it aren’t cashing in and taking early retirement. They’re emboldened by their success, and are busy hunting for new victims and creating new/modified malware. It’s what they do.
As such, organizations can’t assume that they “dodged a bullet” because they weren’t hit by Remsec (at least, not to their knowledge…). Instead, they need to take specific, practical steps to help minimize both the likelihood and impact of a true APT – because there WILL be more in the future.
It remains unclear how Remsec infiltrates a targeted network. But even when this information comes to light, it’s not going to solve anything – because 100% prevention isn’t possible. What’s more, since the attack tool resides in an infected device’s memory and not on a hard drive, trying to catch it just by checking for basic indicators of compromise is also pointless.
Our advice is this: given that the implants and C2 servers are customized for each target and never re-used, Remsec -- and other similar attacks -- can only efficiently be detected and confirmed by using supervised machine learning models, which analyze network traffic over time and can detect the evasive techniques.