A new team of cyberspies using custom-built and highly stealthy malware designed to eavesdrop on encrypted communications has been identified by security researchers.
Variously dubbed “Strider” or “Project Sauron” — because of references to the all-seeing eye of Mordor in fragments of malicious code that have been recovered — the team has been active since at least 2011, according to Symantec and Kaspersky Lab.
Kaspersky researchers describe Project Sauron as a “true” advanced persistent threat, or APT, and almost certainly a nation-state effort — estimating its development and operation over five years “is likely to have required several specialist teams and a budget probably running into millions of dollars.”
Kaspersky says the group has infiltrated more than 30 target organizations in Russia, Iran and Rwanda — including successfully penetrating so-called air-gapped networks that aren’t connected to the Internet at all. The researchers also found that some versions of the malware appear designed to steal documents labeled in Italian.
Symantec states it has found evidence of infections in seven organizations, including four in Russia, one in Sweden, an airline in China and an embassy in Belgium.
Neither company makes any attribution of the attacks to a specific nation-state, but Kaspersky says there is some evidence the malware was written by native English speakers. Both Kaspersky and Symantec note the group has been remarkably selective in its targets and has successfully (until now) kept off security researchers’ radars.
Kaspersky says it has yet to discover how Project Sauron’s malware, called Remsec, initially obtains its foothold in a targeted network. Moreover, the researchers say, the malicious software implants and the command and control servers that direct them “are customized for each individual target and never re-used — so the standard security approach of … checking for the same basic indicators of compromise [or IOCs] is of little use.”
Instead, the presence of the malware, most of which exists solely in the infected network’s memory, eschewing a giveaway presence on computer hard drives, can only be inferred from an analysis of network data flows using so-called Yara rules — essentially a search for certain types of anomalous traffic.
The Remsec malware “actively searches for information related to [a] rather uncommon, custom network encryption software,” the Kaspersky researchers write. “This client-server software is widely adopted by many of the target organizations to secure communications, voice, email, and document exchange.”
Different malware modules are aimed at harvesting different kinds of data, but overall, the researchers conclude, the attackers seem most interested in stealing encryption keys and passwords for the software, and in identifying the servers that pass the encrypted communications from point to point.
The group’s tools use a very wide variety of exfiltration methods to get its stolen information out — including disguising data as DNS requests and in emails.
Kaspersky says that the group has been active as recently as this year but may now have ceased activities.