European Govt Air-Gapped Systems Breached Using Custom Malware (bleepingcomputer.com) 51
An APT hacking group known as GoldenJackal has successfully breached air-gapped government systems in Europe using two custom toolsets to steal sensitive data, like emails, encryption keys, images, archives, and documents. From a report: According to an ESET report, this happened at least two times, one against the embassy of a South Asian country in Belarus in September 2019 and again in July 2021, and another against a European government organization between May 2022 and March 2024. In May 2023, Kaspersky warned about GoldenJackal's activities, noting that the threat actors focus on government and diplomatic entities for purposes of espionage. Although their use of custom tools spread over USB pen drives, like the 'JackalWorm,' was known, cases of a successful compromise of air-gapped systems were not previously confirmed.
Air Gapped, so the problem is humans? (Score:3)
Humans, and their lack of training. Is anyone surprised?
Re: Air Gapped, so the problem is humans? (Score:1)
Or the agreed on distributed version of USB? How about those dodgy spectre mitigations idw I didn't read the cause.....
Re: (Score:3)
Anyone who's seen a James Bond movie knows that the weak link in the system is the villain's girlfriend with the innuendo filled name.
Re: (Score:2)
Anna Chapman [wikipedia.org] might agree.
Re: Air Gapped, so the problem is humans? (Score:2)
Re: (Score:2)
It's not the mounting that's the problem: it's the auto-start feature when the drive is mounted. Auto-start should be disabled.
Who allowed that? (Score:2)
Who let anyone put a USB drive in a secure air-gapped system?
If there was a formal way to get files out of The System, you'd hope it was more thought out than that.
The way I hear it, is for American classified systems, it's ten pin transfer only.
Re:Who allowed that? (Score:5, Informative)
When I worked for a classified US Gvt entity, all the usb ports and anything else that could be used to copy data in/out in a similar manner were physically destroyed by the IT security team before they handed out computers.
You can't train people to do the right thing. Even the most ocd and knowledgeable person will eventually fuck up and they got you.
I am both amazed and saddened that in this day and age of super hacker state groups that such an attack is even a physical possibility. It is easy to destroy usb ports. This never should have been possible.
Re: (Score:2)
You can't train people to do the right thing.
True. But there are people that will know what the right thing is and will not mess up. But these are rare, expensive and will likely not be willing to work for you.
Re: (Score:2)
Waaaay back in the day, I was the only devops/sysadmin/network guy at a startup. Fingers flying over the keys all day handling multiple jobs simultaneously. Email comes in with link from someone else at company saying, "Hey check this out!" with a link. I literally had mouse over link moving robotically through all the shit I had to do. Then snapped back to consciousness and stopped to actually _look_ at what I was about to do.
Started writing a company wide email warning but before I got 5 seconds in, a
Re: (Score:2)
block USB 3 and 4. just use a hardened USB 2 with user-space drivers. DMA on USB? then opening up more with video/PCI with thunderbolt... 1 plug with a bunch of tiny icons indicating different sub-standards... idiotic. just to keep 1 physical plug for "ease" when actually complicating the thing more!
WTF? has everybody gone stupid? 1 simple serious port that is durable long lasting and slow and secure... make another plug for direct to RAM, PCI bus, etc. for fast security breaches and electrical attac
Re: (Score:2)
Re: (Score:2)
Sorry, what's "ten pin transfer"? Google doesn't seem to want to enlighten me.
I imagine it refers to ten fingers, though it seems pretty optimistic to assume that everyone would type properly using all of their fingers. (In Finnish, touch typing is referred to as the ten-finger system.)
Re: (Score:2)
Re: (Score:2, Funny)
I've certainly processed a few jpegs using the old five finger transfer.
Re: Who allowed that? (Score:1)
Re: (Score:1)
Sorry, what's "ten pin transfer"? Google doesn't seem to want to enlighten me.
I would imagine that it's some form of modified or proprietary DB9 serial type port (with perhaps an old-school null modem) and serial transfer mechanism.
Re: Who allowed that? (Score:3)
The boss just sent an USB drive. He demands the Excel files stored on it printed and signed ASAP. And he specifically doesn't want any security eggheads making this any more difficult than it needs to be.
Re: (Score:2)
Who let anyone put a USB drive in a secure air-gapped system?
Probably some wannabe IT security "expert" that is anything but. These people can be found in, for example, the "Big Four" consulting firms. IBM also has these and Microsoft does too. Use any of them, and their primary goal will be to sell you something, as expensive as possible. Now add "management" and "decision makers" that are in awe of big names, but completely clueless and you get something like in the story.
USB drives to blame (Score:1)
The attack involves USB drives, which people are using. Originally these could be thrown around at parking lots next to the targeted buildings, or dropped into pockets/purses of the targeted personnel. Once inserted, they infect the computer and begin propagating themselves to other drives. They virus would also either copy "interesting" files to the drives, if it finds itself unable to send them out (as it would behind an air-gap), or sending them out, if possible.
The immediate reaction is to ban the usage
Re: (Score:3)
You totally can get by without USB drives, fast passive serial connections have been around for decades. You just have to be willing to acquire the right stuff and follow proper procedure. Complacence is the hardest problem to solve here, but is it ever a doozy.
Re: (Score:1)
And how would you, say, upgrade a computer, if you cannot bring any new data into it?
You can make it harder, but you cannot eliminate the threat entirely — much like a medieval castle cannot stand (for long) without a few gates breaching its walls.
Re: USB drives to blame (Score:3)
Re:USB drives to blame (Score:5, Informative)
And how would you, say, upgrade a computer, if you cannot bring any new data into it?
You can make it harder, but you cannot eliminate the threat entirely — much like a medieval castle cannot stand (for long) without a few gates breaching its walls.
I did this, as a tech at a secure facility. There was a security checkpoint between the staff areas (front offices, break rooms, and locker rooms) and the work areas. Most staff were not allowed to take anything in or out -not even a pen. As an authorized tech, I could bring data in on cd/dvd/usb but I could not take it back out. Anything I brought in stayed in. Everyone got patted down by security.
Someone could sneak something in/out, but it would not be an accident. Getting caught would be termination with cause -at minimum.
Re: (Score:3)
I used to work at a facility where they were real sticklers about security...except they didn't know what they were doing. Yeah, you couldn't use USB drives but you could scp anything in/out you wanted.
Re: (Score:2)
Indeed. This _can_ be done right and it is _known_ how to do it right. There are just too many fake "experts" in the IT space and that includes IT security people.
Re: (Score:2)
And how would you, say, upgrade a computer, if you cannot bring any new data into it?
You do not need to and you do not want to. That is the beauty of an isolated system. Suddenly all that "update", "new AV signatures", etc. crap goes away. Takes an actually working mind to see that though.
Re: (Score:2)
And how would you, say, upgrade a computer, if you cannot bring any new data into it?
You can make it harder, but you cannot eliminate the threat entirely — much like a medieval castle cannot stand (for long) without a few gates breaching its walls.
You use some form of storage, USB drives or something else, that you source from a trusted security vetted manufacturer. Once that storage goes into the facility it does not leave it without being wiped first and it does not come back in again if there is the slightest ambiguity about the custody chain while it was out of the facility. You also eliminate all USB sockets that are not necessary for peripherals and those USB sockets that are used for peripherals are either lockable or you make it impossible in
Re: (Score:3)
Nobody acquires the right stuff or follows proper procedures.
Re: (Score:3)
How would this document, once prepared on a classified system behind an air-gap, be shared/published to the outside world?
You request a copy that will be handed to you (yes, perhaps on a USB drive) through proper channels.
The most obvious answer is: USB-drive...
You don't get to decide what is/is not suitable for export from some classified data store. Or how it should be moved.
all fortifications require some means of getting through them â" gates, bridges, doors...
And there's a guard with an M-16. Show him your credentials and clearance.
Re: (Score:2)
Who is these "proper channels"? Some other people? How do you know, they would never pick up a stray USB drive?
For one, a human guard is no harder — perhaps, even easier — to subvert, than a mechanism.
More importantly, my point was more general: even though gates and doors weaken the defenses, they cannot be completely eliminated.
Re: (Score:2)
Who is these "proper channels"? Some other people? How do you know, they would never pick up a stray USB drive?
When you have the formality of a guard, a simple part of the procedure is to ask "You didn't get this from the parking lot, right?"
The problem isn't strays, the problem is someone getting a compromised drive into your supply chain. And if your supply chain is Staples, say, you may have already lost the game.
Re: (Score:2)
And if your supply chain is Staples
Yeah. You don't know who hung those blister-packed USB drives on their rack.
I imagine that any decent SCIF will have a process for acquiring "clean" USB drives. Probably PIN or password secured drives. You can write this once. But only the person at the other end (whom you have cleared through the data transfer request) has the unlock key.
Re: (Score:1)
That guard may know even less about the threats, than the personnel actually using a computer. They guy could insert the USB-drive he found on his way to the job just as well as that hypothetical press-secretary I used in my example.
And "special" drive only needs to be inserted once. After that, you can keep using your strictest-vetted ones, and they'll become compromised too...
Hezbollah may wish, they bought their pagers [bbc.com] at Staples, i
Re: USB drives to blame (Score:2)
You print it, it gets proper security/content reviews, and if it passes muster, you scan it into the unclassified system.
Efficient? Not particularly. Foolproof? No, there's probably some sort of microdot encoding that can get printed in amongst the legitimate text, but that would somehow have to pass the airborne security checks and also be readable after printing and scanning.
Re: USB drives to blame (Score:2)
Airborne=aforementioned
Re: (Score:3)
Re: (Score:3)
How would this document, once prepared on a classified system behind an air-gap, be shared/published to the outside world?
Back when I worked with above top secret level systems like this, transfers of info was done by printing it out from one system to paper and then a conveyor belt transferred the printouts to the secondary system where the papers where OCR:ed back into digital form, at which point the conveyor belt continued on to the paper shredder.
Re: (Score:2)
, someone with fully legitimate access to classified data needs to make a non-classified report or even a press-release. The document would be based on classified facts — without including them.
That is really not hard. You prepare the document in the secure environment. Then you ask for it to be declassified, giving full references and justifications. Somebody _else_ (in fact several people) verify that declassification is acceptable and then do it. And these people can transfer data out of the system in some way. It is not difficult to make that an inside-to-outside only data channel either (e.g. isolated text-only printer + OCR for a high-security solution that is not actually expensive). You j
More like "flipflopnet". (Score:5, Funny)
Re: (Score:1)
Given the term sneakernet, shouldn't we call it sneaker-gapped?
Re: (Score:2)
Yep, that nicely sums it up. Also something any actual security expert will tell you.
You fucking dumbasses! (Score:2)
Jesus H Christ (Score:2)
All bets are off if someone can gain physical access to the hardware. At that point, disabling (either via BIOS or literally disconnecting or plugging them) external ports is the only way to go.
Re: (Score:2)
Indeed. And that is something _every_ actual security expert will tell you. It is in no way a secret or hard to understand.
As to the external ports, the only thing safe is to disconnect them or prevent physical access. Software-disable (BIOS) is _not_ enough.
Why is "air-gapped" still seen as secure? (Score:2)
Just about every device these days, even desktop computers, comes with built-in wireless networking. The notion that "not connected to a network with wires" is somehow secure, seems a bit quaint.
Re: (Score:2)
Because management is stupid and incapable of asking and then listening to actual experts. No other reason.
Re: (Score:2)
"Not previously confirmed"? Bullshit. (Score:2)
The Iranian Uranium Centrifuges were sabotage that way and yes, that is as confirmed as it gets.