Moscow-adjacent GoldenJackal gang strikes air-gapped systems with custom malware A cyberespionage APT crew named GoldenJackal hacked air-gapped PCs belonging to government and diplomatic entities at least twice using two sets of custom malware, according to researchers from antivirus vendor ESET. The firm’s investigators believe GoldenJackal wields a bespoke toolset it used to breach a government org in …
You really need to change user IDs here once in a while, everyone here knows you're some loser Russian working the PCs as Putin's slave to avoid being sent to the front to die. At least under a new user ID you might fly under the radar for a week or two before you make yourself too obvious again.
Too bad you aren't smart like the GoldenJackal guys, I'm sure they live a much better life than you since they're much more valuable to comrade Putin than a totally disposable Дебил who is only qualified to troll low value targets like the Reg where your posts get read by maybe a few hundred people a day.
Maybe social engineering ?
An embassy was infiltrated. Embassy personnel know better (normally) than to pick up a stray USB and insert it into their work PC. I'm thinking specific employees were targeted with the appropriate arguments and an infected USB key was handed over. The arguments can range anywhere from basic seduction to promises of important data.
The only other possibility is that the cleaning lady had a hand in this.
I mean, telling someone "hey I saw so-and-so drop this in the hallway, could you put it on their desk for them" on a late Friday afternoon would work just fine. So-and-so will come in Monday morning or later, probably think they just left it out when their mind was on the time being pub o'clock last week, and there you go.
Embassy personnel know better (normally) than to pick up a stray USB and insert it into their work PC.
They should. They will have been trained against it. But if there's a USB key dropped in the car park or stairwell or on a desk somewhere in the building, what do you be their first instinct is to see what's on it and whether it's identifiable. If it's got some 'reasonable' content on it and maybe some staff names then chances are they'll leave it at reception for the purported owner.
People are lazy, forgetful and make mistakes.
I've seen it happen in my own (previous) company. There was an expensive looking USB drive left on the table after a meeting with a client and my manager at the time wanted to see what was on it.
We happened to have an airgapped anti-malware laptop set up so she was able to do that risk free and see it was OK and belonged to the client but, if that hadn't been there, I'm pretty confident she'd have tried it on her own laptop.
"We happened to have an airgapped anti-malware laptop set up" One would hope that this was set up by your IT dept for that very purpose, such things don't just magically appear. All organisations should have at least one such machine readily available that is regularity purged of accumulated crud.
We were a small consultancy. We didn't have a separate IT function, we all contributed. Our cybersecurity guy had set it up for anti-malware and physical network monitoring. It didn't run Windows and he did a full wipe and rebuild from DVD between customers. It happened to be back at base for just that treatment instead of plugged into a customer network. It was airgapped in the sense that it didn't have a wifi driver and we didn't have a cabled office.
OK, you have a risk profile for your IT that means it should be air-gapped from the Internet. Great. That stops you being affected by some widespread zero-day. But you have to build and maintain the operating systems on the "safe" side of the air gap, and get operational data in, and products out. That means that the air gap isn't just some fresh air - it's a carefully managed interface to The Great Outside. The operational data coming in must be sanitized, on trusted media, and the products out must not give away attack vectors to bad actors who might get hold of it.
If part of your careful management is to carry data over the gap with USB devices, then gluing up the ports isn't useful. Perhaps a USB driver stack that works only with specific whitelisted device IDs, and special control measures on how the whitelist is managed? Big Red Klaxon for when a black-listed device is plugged in? ==>
There's a few way to exfiltrate from an air-gapped machine
There's a good list here (I'm not affiliated with them):
https://www.packetlabs.net/posts/exfiltrating-data-from-air-gapped-systems/
Audio signals, Monitor flicker, Radio frequencies, Thermal signature, LED flicker
...so some more practical than others.
Good luck, and let us know how you (and your friend) get on.
I worked on a small part (system log file reports) for making a system that could pass B1 security in the US. Looked at the requirements and saw the A1 requirements which said to also report on any other ways data could leave the system, including ways not thought of yet, or something to that effect.
Malware runs, finds data, copies it to USB stick.
When USB stick plugged into a non air gapped device, Malware runs and data on USB is uploaded to the c2.
This is because the USB stick is the one used to transfer stuff in and out of the air gapped network by the not so smart users of this "secure" network.
That's how golden jackal did this.
The initial delivery to the organisation was apparently by some sort of Internet attack on non secure pc's that infected the devices and looked for USB sticks to infect.
It's probably more targeted than that though. Spearfish of known users who admin the secure network... Such targets are often easy to id.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
