Spy Attacks ‘Went Unnoticed For Five Years’

Researchers have uncovered a long-term espionage campaign that has been silently stealing data from organisations in a number of countries for at least five years.

The spying group, which may be linked to a nation state, is known as Strider or Project Sauron and its technical sophistication demonstrates the difficulty in defending against determined attackers, experts said.

Custom tools

The group uses custom-built tools modified for each target and began its activities in October 2011 or earlier, according to two independent reports from Symantec and Kaspersky Lab.

The group is selective in its targets and infections have only been found on 36 computers used by seven separate organisations in four countries, Symantec said in an advisory.

Those organisations include several in Russia, an airline in China, an organisation in Sweden and an embassy in Belgium, Symantec said.

Kaspersky said it was aware of more than 30 infected organisations in Russia, Iran, Rwanda, possibly in Italian-speaking countries, and likely also elsewhere, with the sectors targeted including government, scientific research, military, telecommunications and finance.

“Project Sauron comprises a top-of-the-top modular cyber-espionage platform in terms of technical sophistication, designed to enable long-term campaigns through stealthy survival mechanisms coupled with multiple exfiltration methods,” Kaspersky said in its own advisory.

Modular platform

It uses a modular platform with at least 50 plugin types, deploys strong encryption, and targets communication encryption software used by governmental organisations, Kaspersky said.

“It is able to exfiltrate data from air-gapped networks by using specially-prepared USB storage drives where data is stored in an area invisible to the operation system,” the firm stated.

“Technical details show how attackers learned from other extremely advanced actors in order to avoid repeating their mistakes.”

The group was still active in April of this year, and although it appears to have “largely” shut down, it may still be targeting systems, Kaspersky said.

Kaspersky said it uncovered Project Sauron in September of last year when it found “anomalous” network traffic on a client’s network.

“Analysis of this incident led to the discovery of a strange executable program library loaded into the memory of the domain controller server,” Kaspersky stated. “The library was registered as a Windows password filter and had access to sensitive data such as administrative passwords in cleartext. Additional research revealed signs of activity of a previously unknown threat actor.”

A recent study found that nearly two-thirds of IT security professionals believe their organisations are potential targets for nation-state computer attacks.

Are you a security pro? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago