Spy Attacks ‘Went Unnoticed For Five Years’

Researchers have uncovered a long-term espionage campaign that has been silently stealing data from organisations in a number of countries for at least five years.

The spying group, which may be linked to a nation state, is known as Strider or Project Sauron and its technical sophistication demonstrates the difficulty in defending against determined attackers, experts said.

Custom tools

The group uses custom-built tools modified for each target and began its activities in October 2011 or earlier, according to two independent reports from Symantec and Kaspersky Lab.

The group is selective in its targets and infections have only been found on 36 computers used by seven separate organisations in four countries, Symantec said in an advisory.

Those organisations include several in Russia, an airline in China, an organisation in Sweden and an embassy in Belgium, Symantec said.

Kaspersky said it was aware of more than 30 infected organisations in Russia, Iran, Rwanda, possibly in Italian-speaking countries, and likely also elsewhere, with the sectors targeted including government, scientific research, military, telecommunications and finance.

“Project Sauron comprises a top-of-the-top modular cyber-espionage platform in terms of technical sophistication, designed to enable long-term campaigns through stealthy survival mechanisms coupled with multiple exfiltration methods,” Kaspersky said in its own advisory.

Modular platform

It uses a modular platform with at least 50 plugin types, deploys strong encryption, and targets communication encryption software used by governmental organisations, Kaspersky said.

“It is able to exfiltrate data from air-gapped networks by using specially-prepared USB storage drives where data is stored in an area invisible to the operation system,” the firm stated.

“Technical details show how attackers learned from other extremely advanced actors in order to avoid repeating their mistakes.”

The group was still active in April of this year, and although it appears to have “largely” shut down, it may still be targeting systems, Kaspersky said.

Kaspersky said it uncovered Project Sauron in September of last year when it found “anomalous” network traffic on a client’s network.

“Analysis of this incident led to the discovery of a strange executable program library loaded into the memory of the domain controller server,” Kaspersky stated. “The library was registered as a Windows password filter and had access to sensitive data such as administrative passwords in cleartext. Additional research revealed signs of activity of a previously unknown threat actor.”

A recent study found that nearly two-thirds of IT security professionals believe their organisations are potential targets for nation-state computer attacks.

Are you a security pro? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

4 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

7 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

8 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

9 hours ago