Kaspersky Lab unmasks cyber espionage group targeting government communications

ProjectSauron targets government, military, scientific research centres, telecom operators, and financial companies.

By Adrian M. Reodique
Aug. 15, 2016

Cybersecurity company, Kaspersky Lab, recently unmasked a nation-state threat actor called "ProjectSauron" targeting state organisations.

In a press release, Kaspersky Lab said more than 30 victim organisations have been identified in Russia, Rwanda, and Iran. These organisations play a key role in providing state services such as government, military, scientific research centres, telecom operators, and financial companies.

Kaspersky Lab also noted a forensic analysis which indicated that ProjectSauron has been operational since June 2011 and has remained active until this year. The attackers use an advanced modular cyber espionage platform that incorporates a set of unique tools and technique to encrypt communications.

Attackers also avoid patterns and customise the implants for each target, making them difficult to detect.

The core implants use legitimate software update scripts and work as backdoors, which downloaded new modules or run command from the attackers purely in memory.

They use a set of low-level tools that are orchestrated by high-level LUA scripts, which is rare in malware components, Kaspersky Lab said.

In addition, ProjectSauron actively searches for information related to custom network encryption software. The attackers are particularly interested in encryption software components, configuration files, keys, and the location of servers that relay encrypted messages between nodes.

Attackers also use specially-prepared USB drives to jump across air-gapped networks. The USB drives have hidden compartments in which the stolen data is concealed. Lastly, ProjectSauron uses multiple routes for data exfiltration, including legitimate channels such as e-mail and Domain Name System (DNS).  

"A number of targeted attacks now rely on low-cost, readily-available tools. ProjectSauron, in contrast, is one of those that relies on homemade, trusted tools and customisable scripted code. The single use of unique indicators, such as control server, encryption keys and more, in addition to the adoption of cutting edge techniques from other major threat actors, is rather new," said Vitaly Kamluk, Principal Security Researcher at Kaspersky Lab.  

"The only way to withstand such threats is to have many layers of security in place, based on a chain of sensors monitoring even the slightest anomaly in organisational workflow, multiplied with threat intelligence and forensic analysis to hunt for patterns even when there appear to be none," Kamluk added.