Slashdot Mirror

← Back to Stories (view on slashdot.org)

Chinese Hacker Group Targets Air-Gapped Networks

Posted by samzenpus on from the minding-the-gap dept.

itwbennett writes An otherwise unremarkable hacking group likely aligned with China appears to be one of the first to have targeted so-called air-gapped networks that are not directly connected to the Internet, according to FireEye, which released a 69-page technical report on Sunday on the group. FireEye picked up on it after some of the malware used by the group was found to have infected defense-related clients in the U.S., said Jen Weedon, manager of strategic analysis with FireEye.

71 comments

  1. What we need by fustakrakich · · Score: 3, Funny

    is a bigger gap!

    --
    “He’s not deformed, he’s just drunk!”
    1. Re:What we need by Impy+the+Impiuos+Imp · · Score: 2

      "Mr. President, we cannot allow an air gap gap!"

      --
      (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
    2. Re:What we need by Anonymous Coward · · Score: 0

      Mine the Gap Please!

      .

  2. Hillarrhea!'s mail server? by Anonymous Coward · · Score: 1

    Haven't they already hacked that?

    1. Re:Hillarrhea!'s mail server? by Anonymous Coward · · Score: 1

      They probably paid for it. But we'll never know. She wiped the server clean after congress asked he for the emails.

  3. No mention of getting data out by edtice1559 · · Score: 1

    It seems that this group managed to spread their malware via USB sticks. The modern equivalent of floppy disk viruses. But in all of the classified networks that I've seen, you can bring your USB drive into the secure area, but it can't be removed. So even if I managed to get my malware on a machine and then somehow got the sensitive data onto some sort of external media, I still don't have anything useful. Not that I wouldn't want to defend against the malware, but it seems that the air gap really is doing it's job.

    1. Re:No mention of getting data out by turbidostato · · Score: 1

      "So even if I managed to get my malware on a machine and then somehow got the sensitive data onto some sort of external media, I still don't have anything useful."

      In one acronym: DoS.

    2. Re:No mention of getting data out by ScentCone · · Score: 4, Insightful

      you can bring your USB drive into the secure area, but it can't be removed ... I still don't have anything useful

      Stuxnet wasn't all about "getting anything out," either.

      --
      Don't disappoint your bird dog. Go to the range.
    3. Re:No mention of getting data out by masterofthumbs · · Score: 5, Informative

      I think they are relying on people to accidentally forget to confiscate the devices when leaving secure areas or the malware is waiting for some other way to communicate out of the network. Recently, a researcher showed how he was able to move data (albeit, very slowly) between two air-gapped machines just using temperature changes of both infected machines. Something using built-in speakers and mics of two machines could also move data using ultrasonic audio. If this is a targeted attack looking for a specific piece of information, a private key perhaps, you wouldn't need to transfer the information very long before someone notices.

      All of these air-gapped exploits pretty much rely on people clicking things they shouldn't or plugging things in to other things they shouldn't but the hard part is getting back out of the air-gapped network.

    4. Re:No mention of getting data out by geekmux · · Score: 3, Insightful

      It seems that this group managed to spread their malware via USB sticks. The modern equivalent of floppy disk viruses. But in all of the classified networks that I've seen, you can bring your USB drive into the secure area, but it can't be removed. So even if I managed to get my malware on a machine and then somehow got the sensitive data onto some sort of external media, I still don't have anything useful. Not that I wouldn't want to defend against the malware, but it seems that the air gap really is doing it's job.

      This may be true of the systems you have worked on, but it isn't true of all classified systems.

      If a classified system is approved for trusted downloading, then it is enabled for certain data to be passed to and from that air-gapped system, usually via optical drive, but other means(USB, floppy) are not unheard of.

      Let's put this another way. Ongoing development that also includes attacks on air-gapped systems would not be ongoing if there were no viable methods of attack. That would be rather pointless.

    5. Re:No mention of getting data out by TheCastro1689 · · Score: 1

      Stuxnet dialed home everyday for new instructions though.

    6. Re:No mention of getting data out by dunkindave · · Score: 4, Informative

      It seems that this group managed to spread their malware via USB sticks. The modern equivalent of floppy disk viruses. But in all of the classified networks that I've seen, you can bring your USB drive into the secure area, but it can't be removed. So even if I managed to get my malware on a machine and then somehow got the sensitive data onto some sort of external media, I still don't have anything useful. Not that I wouldn't want to defend against the malware, but it seems that the air gap really is doing it's job.

      There are ways for a machine to transmit information other than a wire, that can be detected by other devices. The infected air-gapped machine could send information out through its speakers that a microphone elsewhere could hear. It could flash its screen in binary in the middle of the night that someone outside the building might see through a window. It can raise and lower its power usage through various means that might be detected at the power feed. There was even an article a month ago talking about changing the heat output of the air-gapped machine that could be detected by the thermal sensors in a nearby computer. And there are even more that I won't go into.

      So there are ways to send information out even if the USB drive doesn't leave.

    7. Re:No mention of getting data out by ScentCone · · Score: 3, Insightful

      Sure, but something like that doesn't HAVE to, in order to still be a significant (and possibly lethal) PITA.

      --
      Don't disappoint your bird dog. Go to the range.
    8. Re:No mention of getting data out by dkman · · Score: 2

      You're a scary individual, but I like the way you think.

      --
      I refuse to sign
    9. Re:No mention of getting data out by Lumpy · · Score: 5, Interesting

      dont have to dial home. Look for new incoming infections to carry the new commands.

      You attack an airgapped but human vulnerable systems like you send probes to outer space. You keep sending them in hopes that one reaches it's target. Anything after you send with the same hopes but with new commands for anything that may have made it there.

      and airgapped can have a reverse comms channel you just need to be clever in finding that channel. Attacking a science facility? You had to target a scientist to get it in there, so target that same person as the outgoing data stream. all you need is YES/NO data. so alter their data that they would communicate back out manually.

      Pop up a typical windows error, "CAUTION ID10T ERROR OK/RETRY" They will report that back to IT via their email that you are watching. There is your return data channel.

      --
      Do not look at laser with remaining good eye.
    10. Re:No mention of getting data out by The-Ixian · · Score: 1

      Do you need some sort of auto-run action upon insertion of the USB stick in order for this to work?
       
      Seems crazy that you would have a policy to automatically execute anything.

      --
      My eyes reflect the stars and a smile lights up my face.
    11. Re:No mention of getting data out by pscottdv · · Score: 1

      http://www.wired.com/2014/10/c...

      --

      this signature has been removed due to a DMCA takedown notice

    12. Re:No mention of getting data out by Anonymous Coward · · Score: 0

      If the malware's job is to destroy data, then just getting into an air-gapped lab is all it takes.

      The problem is that USB is so generic, a USB flash drive can present itself as many devices, be it a keyboard, pointing device, CD-ROM, as well as a removable drive.

      The security issue is twofold. The first is someone just buying a USB flash drive and not knowing it is Trojaned, the other is someone deliberately going in with it as a means of destruction. In that case, what should have been done is separation of duties [1], backups, and technological safeguards.

      The second is being the victim of a Trojan horse. I saw this at a small company. At the reception desk, someone left a bunch of "sample MP3 cds". This was a few years ago where Windows would happily run anything stuffed into it with an autorun.inf. Well, said firm ended up pretty much shutting its doors after a competitor based overseas mysteriously started putting out the same exact product for a fraction of the price, letting the company's clients know by name about the fact that they have it.

      Moral of the story: Rogue employees, you tend to be fscked. However, USB flash drives can be dealt with by a number of ways:

      1: Moving to a ringed system. The secure stuff goes onto App-V or Citrix servers, while desktops are secured reasonably. This way, an intruder might be able to -access- data, but not just grab a DB backup and send it back to where they came from.

      2: Block USB drives. Easy to do in BIOS, in the OS, part of a GPO, part of BitLocker, part of Symantec Endpoint protection, physical locks, or at worst, snip the leads and squirt epoxy in the connectors.

      3: Make sure people know not to bring in USB drives -- common sense.

      I'd use a combination of the above. App-V for isolation, the secure machines (DCs) have USB locked out, and some common sense user training.

      [1]: Almost impossible in a smaller company where IT people have to overlap. You just have to trust people at some point.

    13. Re:No mention of getting data out by Ungrounded+Lightning · · Score: 1

      It can do bursts of computation, memory access, or anything else that varies the amount you wiggle voltages or currents on wires in a way that emits radio waves. You can do it without even trying (which is one way some smartcards exposed private keys ...).

      In the days of CRTs that applied especially well: Graphics output could modulate the beam and generate a LOT of radio. (Doing gray scales by making shifting fine patters would be an especially "in your face but you can't see it" approach.) A fast photocell could read it from the light, as well.

      Preventing / shielding against things like this is what "Tempest" is about.

      I recall, back in the late '60s / early '70s, when I was doing software on a machine at a classified site. It had a music program that worked by wiggling the lines on three console display lamps that were also connected, by three resistors (forming a cheap D2A converter) to a volume control T-pad and a loudspeaker. Turns out it also modulated the memory access and/or other signals - a lot. I had left it playing "moon river" overnight, drove up to the building, and heard it on my A.M. radio.

      I realized it would have been trivial to exfiltrate a small amount of data, even on my starving student budget, by emulating an FSK modem and hooking a transistor radio to a battery-powered tape recorder (about the size of a briefcase in those days) left in the trunk of my car. (Not that I'd have needed to, since I could carry mag tapes in and out, but as a "white hat", how could it be done, exercise.)

      The security guys figured that out, too. A bit later I got a ping from management: Some guys from Washington had also driven up, noticed the arcade-quality "music", and given them grief about it.

      --
      Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
    14. Re:No mention of getting data out by Anonymous Coward · · Score: 0

      Do you need some sort of auto-run action upon insertion of the USB stick in order for this to work? Seems crazy that you would have a policy to automatically execute anything.

      Every time you plug in a USB device on any platform there is "some sort of auto-run action" at the hardware/driver handshake level, which can be used by malware. This can't be disabled, it is part of the USB standard spec.

    15. Re:No mention of getting data out by rtb61 · · Score: 1

      That is not technically correct, as a proper air gapped network should not have any means to digitally add data other than via secured, monitored and filtered access points. So failures in air gap system design are obvious, still live wireless hardware, unconditioned power feeds and local terminals with poor input control methods. The untoward access to a properly designed air gapped network should be via corruption of personal and that data should only be copied and removed in hard copy form or be added manually, except at the specific control point for the digital addition or removal of data. That power supply can be a real problem for bringing bad data into an air gapped network but it requires that the hardware in the network has already been compromised. Of course with so much stuff sourced from China in the blind US rush for greed, that is likely to have occurred. Now with lots of government three letter agency attacks hidden behind false flag terrorism, yep, sure a bunch of goat herders in a cave brought down a commercial broadcast network (lies work best when you can silence the truth, even just temporarily, until the bulk of the killing is over). So bad people in positions of trust will always be the greatest problem and of course for the spy agencies psychopaths make the best agents, that shameless lying works well for them, or does it?!?.

      --
      Chaos - everything, everywhere, everywhen
    16. Re:No mention of getting data out by Anonymous Coward · · Score: 0

      Flash media is getting awfully small these days. What would stop somebody from putting a tiny flash card under their tongue? What if they swallowed it and extracted it when it was passed through?

      This is of course talking about an actor who is intentionally trying to exfiltrate data; not somebody who is unwittingly taking data home from a malware attack that he would plug into his PC and cause to phone home.

    17. Re:No mention of getting data out by drkim · · Score: 1

      ...even if I managed to get my malware on a machine and then somehow got the sensitive data onto some sort of external media, I still don't have anything useful.

      Unless the hack on that USB stick forces the target machine to start radiating data on RF via its monitor or other peripherals.

      Those radiations could then be read from an external pickup.
      "Van Eck phreaking is a form of eavesdropping in which special equipment is used to pick up side-band electronic-magnetic emissions from electronics devices that correlate to hidden signals or data for the purpose of recreating these signals or data in order to spy on the electronic device. Side-band electromagnetic radiation emissions are present in, and with the proper equipment, can be captured from keyboards, computer displays, printers, and other electronic devices."

      http://en.wikipedia.org/wiki/V...

  4. Stuxnet by Anonymous Coward · · Score: 0

    Stuxnet was first therefore title should say, Chinese are following US footsteps, or Chinese are caching up to Americans, etc.

    1. Re:Stuxnet by dunkindave · · Score: 1

      Stuxnet was first therefore title should say, Chinese are following US footsteps, or Chinese are caching up to Americans, etc.

      Getting malware onto air-gapped machines through covert means predates stuxnet by a large amount (decades), with the Russians being one of the earliest practicers.

    2. Re:Stuxnet by halivar · · Score: 2

      Wasn't the first practitioner a computer store in Pakistan? Your computer would just display a message saying, "to fix this message, $$$ to this computer store in Pakistan" or something to that effect. Even had their name in it and everything.

    3. Re:Stuxnet by halivar · · Score: 2

      Ah, here it is. Even better that it was accidental.

    4. Re:Stuxnet by arth1 · · Score: 1

      Chinese are caching up to Americans, etc.

      Hopefully not using nginx.

  5. .....this is news? by ilsaloving · · Score: 4, Interesting

    The group designed malware components with worm-like capabilities that can infect removable drives such as USB sticks and hard drives. Those devices can transfer the malware if connected to a device on an air-gapped network.

    Um... welcome back to the 80s and 90s?

    1. Re:.....this is news? by Anonymous Coward · · Score: 0

      80's would have been floppy diskettes, 90's could have included compact discs, although the concept is the same.

    2. Re:.....this is news? by Anonymous Coward · · Score: 0

      Infected USB sticks are really more like circa 2005 or 2006, man.

    3. Re:.....this is news? by wren337 · · Score: 2

      I worked at an online real-estate service in the early 90's, we let realtors mail us floppy disks that our VB app had written listing information onto. One of our jobs was to run through the stack of floppies in the mail every day. So many viruses. People really were clueless about AV protection and were just swapping disks.

    4. Re:.....this is news? by sudon't · · Score: 1

      Ah, yes. I remember well, sticking a floppy into a rent-a-Mac at the local copy shop, and watching the virus scan.

      --
      -- sudon't

      Air-ride Equipped

  6. When you make the hardware by Anonymous Coward · · Score: 0

    You can build in flaws that defeat the air gap without ever having a man on the inside. Congratulations, US computer industry, your use of Chinese labor has doomed us all.

  7. I wonder... by Flavianoep · · Score: 1

    If the machines are air-gapped, how are their software updated?

    --
    Linux is for people who don't mind RTFM.
    1. Re:I wonder... by ageoffri · · Score: 1

      Scrutinize software updates and reduce the risk that the software will introduce additional risks. Utilize the sneaker net with some sort of portable media. Perform updates on air-gapped machines. Destroy portable media.

      --
      -- Slashdot, making the Left look conservative since 1997.
    2. Re:I wonder... by Anonymous Coward · · Score: 0

      If the machines are air-gapped, how are their software updated?

      Sneakernet...

    3. Re:I wonder... by rahvin112 · · Score: 1

      It's not hard to download the updates from a secure isolated computer burn them to disc and transfer them to an administration machine on the closed network. Ideally this machine would be locked down so heavily to be near unusable so its chance of compromising is reduced. Along with audits before and after downloading.

      The NSA sets the DOD's policies on this stuff, and they wrote the book on compromising systems.

    4. Re:I wonder... by Anonymous Coward · · Score: 1

      If the machines are air-gapped, how are their software updated?

      If the computer is air-gapped and only connected to an internal network that is isolated from any other network which might have Internet connectivity, there is no reason to update software on a regular basis. If you only create documents and are using WordPerfect and print all documents for dissemination why would you update or change the word processing software?

    5. Re:I wonder... by Chris+Mattern · · Score: 1

      And the answer is, they are not air-gapped during the update procedure, which thus must be carefully controlled Updates tend not to happen often in such evironments, for exactly that reason.

    6. Re:I wonder... by Migraineman · · Score: 2

      This only works if the userbase is 100% cooperative. My observation is that if something is inconvenient, there is incentive to route around it. Good security procedures are necessarily inconvenient. Further, when you add the imperfectness of the meatbag into the system, it's all too easy to accidentally bring a cell phone into a secure area, or to miss the CD-R in the stack of benign papers that gets taken out of the secure area.

    7. Re:I wonder... by Hamsterdan · · Score: 1

      a:\update.exe

      --
      I've got better things to do tonight than die.
    8. Re:I wonder... by PPH · · Score: 1

      With floppies.

      --
      Have gnu, will travel.
  8. Note to the terminology-impaired by Chris+Mattern · · Score: 3, Informative

    If you can stick foreign media into it, it's not airgapped.

    1. Re:Note to the terminology-impaired by Anonymous Coward · · Score: 0

      Yes it is. Otherwise, you would never get a single computer on that network. At some point you *have* to bring something into the area.

    2. Re:Note to the terminology-impaired by DigiShaman · · Score: 1

      Depends on what side of the network you're on. If some fucking moron picks up a bright lime green USB thumb drive laying in the drive way, brings it inside, and plugs it in out of curiosity, what are you going to do after the fact? Yeah, you now fired that individual. Meanwhile, a trojan virus (in the true sense of the world) has been introduced inside the network.

      --
      Life is not for the lazy.
    3. Re:Note to the terminology-impaired by Ralph+Wiggam · · Score: 1

      Sure it is. An "air gap" is a network configuration- e.g. there is no wire connecting the network to the outside world.

      I have heard that many air gapped networks also put super glue in the USB ports, but that's not required.

    4. Re:Note to the terminology-impaired by Chris+Mattern · · Score: 1

      Sure it is. An "air gap" is a network configuration- e.g. there is no wire connecting the network to the outside world.

      Wrong. An "air gap" is a *network and system* configuration. There is no *nothing* connecting the system/network to the outside. If there isn't air between hardware and *any* outside media, network or otherwise, there isn't an air gap.

    5. Re:Note to the terminology-impaired by Chris+Mattern · · Score: 1

      Yes it is. Otherwise, you would never get a single computer on that network. At some point you *have* to bring something into the area.

      Correct. And at that point, the system is not airgapped. It will be airgapped once installation is complete and system sealed.

    6. Re:Note to the terminology-impaired by Anonymous Coward · · Score: 0

      You made that up.

    7. Re:Note to the terminology-impaired by Ralph+Wiggam · · Score: 1

      So workstations on an airgapped network can never get software upgrades?

    8. Re:Note to the terminology-impaired by Anonymous Coward · · Score: 1

      Sure it is. An "air gap" is a network configuration- e.g. there is no wire connecting the network to the outside world.

      Wrong. An "air gap" is a *network and system* configuration. There is no *nothing* connecting the system/network to the outside. If there isn't air between hardware and *any* outside media, network or otherwise, there isn't an air gap.

      No, this is not the accepted industry definition of air gapped systems. Most air gapped systems needs some way of receiving updates to the code they are running or export/import changes to data sets. But USB sticks is probably the most dangerous method you could choose for this, CD would be better.

    9. Re:Note to the terminology-impaired by Chris+Mattern · · Score: 1

      So workstations on an airgapped network can never get software upgrades?

      Correct. The system would have to have its airgrapped status stand down temporarily to perform the upgrade. Which is one reason that upgrades on such systems are rarely done.

    10. Re:Note to the terminology-impaired by edtice1559 · · Score: 1

      The updates would be brought in via approved media. That media would never leave the secure facility.

    11. Re:Note to the terminology-impaired by Anonymous Coward · · Score: 1

      Yes it is. Otherwise, you would never get a single computer on that network. At some point you *have* to bring something into the area.

      Correct. And at that point, the system is not airgapped. It will be airgapped once installation is complete and system sealed.

      The operating level is airgapped.

      Stop being *that guy* who wants to nitpick this shit down to maintenance-level support for offline systems. The fucking power cord means it's "online" if you can build sensors that detect varying levels of voltage. Same goes for RF bleed if you've not built TEMPEST shielding around the hardware.

    12. Re:Note to the terminology-impaired by Anonymous Coward · · Score: 0

      Sure it is. An "air gap" is a network configuration- e.g. there is no wire connecting the network to the outside world.

      Wrong. An "air gap" is a *network and system* configuration. There is no *nothing* connecting the system/network to the outside. If there isn't air between hardware and *any* outside media, network or otherwise, there isn't an air gap.

      Ironically, since air carries sound waves (a form of communication), if air does exist between airgapped systems, then it's truly not gapped...

      So, the simple answer is put your airgapped systems in space. Problem solved.

  9. Sometimes it's not. by Anonymous Coward · · Score: 1

    We've got systems where the software is simply frozen.

  10. Is a water gap by dkman · · Score: 1

    I would link a picture of a castle with a moat but I'm too lazy.

    Air is so passe.

    --
    I refuse to sign
    1. Re:Is a water gap by Anonymous Coward · · Score: 0

      here: pictureofcastlewithmoat.jpg

      FTFY.gif

  11. Been there, done that by __aabppq7737 · · Score: 1

    Next up: paper and pencil espionage.

  12. Document Link? by Anonymous Coward · · Score: 0

    The site to download the PDF report requires your name, email, etc., and then they send you a copy of the report. Has anyone done this and is willing to post the file somewhere and provide a link?

    1. Re:Document Link? by Anonymous Coward · · Score: 0

      'Your report, "APT30: The Mechanics of a Decade Long Cyber Espionage Operation", is now available for download.'

  13. Yeah, Air Gapped by Anonymous Coward · · Score: 0

    ... like the head of the person who came up with this term.

  14. Advanced hacking group likely aligned with China? by DougPaulson · · Score: 1

    "An otherwise unremarkable hacking group likely aligned with China appears to be one of the first to have targeted so-called air-gapped networks that are not directly connected to the Internet, according to FireEye"

    What evidence does FireEye have that 'China' is behind this and why don't you mention that the main technology required in order to facilitate crossing the 'air-gapped networks', is a portable USB device, malicious email attachments and Microsoft Windows.

  15. Not only that, but.... by anwyn · · Score: 1

    they also have all the emails Hillary told you she deleted!

  16. Or data to be processed? by Ungrounded+Lightning · · Score: 1

    So workstations on an airgapped network can never get software upgrades?

    Or data to be processed?

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
  17. dem haxxorz be haxxin by Anonymous Coward · · Score: 0

    Thank you for sharing 69 pages of content-free security drivel bragging.

  18. Parallelograms by Anonymous Coward · · Score: 0

    Jen Weedon? FireEye? hmmmmm did I slip a universe when I wasn't looking?

  19. THIS!!!!! by Anonymous Coward · · Score: 0

    If end-users can get to any USB/parallel/serial ports or floppies/optical media of any sort, you've failed already.

    You can leave the floppies and optical drives in the bay, just disconnect them internally.

    Everything introduced into these "secure machines" needs to come from a special, network server that is also air-gapped, but only accessible to someone who understands their job is on the line.

    I had a job like that in a prior life. There were actually 4 separate networks that had to be moved across to get into the production control center network. Everything was copied off to tape that was introduced after a virus scan was run ... which made zero sense - we were 100% non-x86 UNIX network. No Windows. Anyway - if anything got in, it could be traced back to a signature (hopefully NOT mine) from the introduction workstation. I didn't have the authority to move anything to a higher level network and only the paperwork would make that happen. A few hours later, it would be in my "inbox" directory on the other network.

    Plenty of traceability. Getting anything out was even harder. I never did that.