The cyberespionage group identified as Strider by Symantec researchers is as advanced and sophisticated a threat as any other known APT in history — including Duqu, Flame, The Equation Group and Regin — according to an analysis by Kaspersky Lab.
In Kaspersky circles, the APT group goes by a different name — ProjectSauron — because configuration files listed within the APT’s malicious coding references the villain Sauron from the Lord of the Rings book series. Kaspersky’s report sheds additional light on the elite threat, which has existed since at least 2011 and appears be highly selective in choosing its targets, customizing the subsequent attacks accordingly.
Kaspersky uncovered the threat after noticing anomalous traffic in a client organization’s network. “The actor did everything possible to operate under the radar, but at the end of the day, they still have to rely on the victim’s systems for some semblance of persistence and the victim’s network for exfiltration. This allows new, tailored defense technologies to latch onto anomalies and eventually unveil the entire malware platform,” said Juan Andrés Guerrero-Saade, senior security researcher at Kaspersky Lab, in an email interview with SCMagazine.com.
The research lab reported finding over 30 infections affecting government computers, scientific research centers, military systems, telecommunication providers and the finance industry since first uncovering threat indicators in September 2015. While most targets were based in Russia, Symantec also detected the threat in Chinese, Swedish and Belgian assets, while Kaspersky separately detected infections in Iran, Rwanda and possibly certain Italian-speaking countries.
“ProjectSauron seems to be dedicated to just a few countries, focused on collecting high-value intelligence by compromising almost all key entities it could possibly reach within the target area,” the Kaspersky report said.
Such behavior indicates the APT is likely backed by a nation-state — a conclusion Symantec drew in its own report. “We can say the malware, tactics, tools and procedures (TTPs), as well as victims discovered during this investigation, are what is usually seen with cyberespionage campaigns which are often sponsored by nation-states,” said Jon DiMaggio, Symantec senior threat intelligence analyst, in an earlier emailed interview with SCMagazine.com.
Kaspersky also reported that the APT is especially interested in a specific communication encryption software that is prominently used by the targeted government organizations. To that end, ProjectSauron steals encryption keys, configuration files and the IP addresses of infrastructure servers linked to this software. Moreover, ProjectSauron extensively leverages DNS protocols as well as DNS tunneling techniques for data exfiltration and real-time status reporting.
Even air-gapped computers are not immune. According to the report, the threat actor is able to lift data from isolated networks and transfer them to Internet-connected systems using specially-crafted, removable USB storage drives that contain hidden storage areas — invisible to a machine’s operating system.
To spy on organizations and steal their data, ProjectSauron uses highly sophisticated modular malware, which Symantec refers to as Remsec. To maintain persistence, Remsec’s backdoor module is placed on networks’ domain controllers as a Windows Local System Authority password filter. This means that any time a user or admin enters or changes a password, the backdoor automatically starts up and collects said password.
Kaspersky said it found 28 domains connected to 11 IPs in the U.S. and Europe that appear to be linked to ProjectSauron activity. “Even the diversity of ISPs selected for ProjectSauron operations makes it clear that the actor did everything possible to avoid creating patterns. Unfortunately, little is known about these servers,” Kaspersky reported.
“Thorough visibility into a truly sophisticated actor like this is complicated. There is little to latch onto for a lateral understanding of the deployment of the ProjectSauron platform,” added Guerrero-Saade. “We do believe this is only the tip of the iceberg and that there are other victims out there, but with this sort of platform they’ll likely be found on a case-by-case basis.”
UPDATE 8/10: The article has been updated to include quotes from Kaspersky Lab.