Chinese Hacker Group Targets Air-Gapped Networks

← Back to Stories (view on slashdot.org)

Chinese Hacker Group Targets Air-Gapped Networks

Posted by samzenpus on Monday April 13, 2015 @02:55AM from the minding-the-gap dept.

itwbennett writes An otherwise unremarkable hacking group likely aligned with China appears to be one of the first to have targeted so-called air-gapped networks that are not directly connected to the Internet, according to FireEye, which released a 69-page technical report on Sunday on the group. FireEye picked up on it after some of the malware used by the group was found to have infected defense-related clients in the U.S., said Jen Weedon, manager of strategic analysis with FireEye.

50 of 71 comments (clear)

Min score:

Reason:

Sort:

What we need by fustakrakich · 2015-04-13 03:00 · Score: 3, Funny

is a bigger gap!

--
“He’s not deformed, he’s just drunk!”
1. Re:What we need by Impy+the+Impiuos+Imp · 2015-04-13 03:17 · Score: 2
  
  "Mr. President, we cannot allow an air gap gap!"
  
  --
  (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
Hillarrhea!'s mail server? by Anonymous Coward · 2015-04-13 03:02 · Score: 1

Haven't they already hacked that?
1. Re:Hillarrhea!'s mail server? by Anonymous Coward · 2015-04-13 03:32 · Score: 1
  
  They probably paid for it. But we'll never know. She wiped the server clean after congress asked he for the emails.
No mention of getting data out by edtice1559 · 2015-04-13 03:06 · Score: 1

It seems that this group managed to spread their malware via USB sticks. The modern equivalent of floppy disk viruses. But in all of the classified networks that I've seen, you can bring your USB drive into the secure area, but it can't be removed. So even if I managed to get my malware on a machine and then somehow got the sensitive data onto some sort of external media, I still don't have anything useful. Not that I wouldn't want to defend against the malware, but it seems that the air gap really is doing it's job.
1. Re:No mention of getting data out by turbidostato · 2015-04-13 03:26 · Score: 1
  
  "So even if I managed to get my malware on a machine and then somehow got the sensitive data onto some sort of external media, I still don't have anything useful."
  In one acronym: DoS.
2. Re:No mention of getting data out by ScentCone · 2015-04-13 03:29 · Score: 4, Insightful
  
  you can bring your USB drive into the secure area, but it can't be removed ... I still don't have anything useful
  Stuxnet wasn't all about "getting anything out," either.
  
  --
  Don't disappoint your bird dog. Go to the range.
3. Re:No mention of getting data out by masterofthumbs · 2015-04-13 03:31 · Score: 5, Informative
  
  I think they are relying on people to accidentally forget to confiscate the devices when leaving secure areas or the malware is waiting for some other way to communicate out of the network. Recently, a researcher showed how he was able to move data (albeit, very slowly) between two air-gapped machines just using temperature changes of both infected machines. Something using built-in speakers and mics of two machines could also move data using ultrasonic audio. If this is a targeted attack looking for a specific piece of information, a private key perhaps, you wouldn't need to transfer the information very long before someone notices.
  All of these air-gapped exploits pretty much rely on people clicking things they shouldn't or plugging things in to other things they shouldn't but the hard part is getting back out of the air-gapped network.
4. Re:No mention of getting data out by geekmux · 2015-04-13 03:36 · Score: 3, Insightful
  
  It seems that this group managed to spread their malware via USB sticks. The modern equivalent of floppy disk viruses. But in all of the classified networks that I've seen, you can bring your USB drive into the secure area, but it can't be removed. So even if I managed to get my malware on a machine and then somehow got the sensitive data onto some sort of external media, I still don't have anything useful. Not that I wouldn't want to defend against the malware, but it seems that the air gap really is doing it's job.
  This may be true of the systems you have worked on, but it isn't true of all classified systems.
  If a classified system is approved for trusted downloading, then it is enabled for certain data to be passed to and from that air-gapped system, usually via optical drive, but other means(USB, floppy) are not unheard of.
  Let's put this another way. Ongoing development that also includes attacks on air-gapped systems would not be ongoing if there were no viable methods of attack. That would be rather pointless.
5. Re:No mention of getting data out by TheCastro1689 · 2015-04-13 03:41 · Score: 1
  
  Stuxnet dialed home everyday for new instructions though.
6. Re:No mention of getting data out by dunkindave · 2015-04-13 03:46 · Score: 4, Informative
  
  It seems that this group managed to spread their malware via USB sticks. The modern equivalent of floppy disk viruses. But in all of the classified networks that I've seen, you can bring your USB drive into the secure area, but it can't be removed. So even if I managed to get my malware on a machine and then somehow got the sensitive data onto some sort of external media, I still don't have anything useful. Not that I wouldn't want to defend against the malware, but it seems that the air gap really is doing it's job.
  There are ways for a machine to transmit information other than a wire, that can be detected by other devices. The infected air-gapped machine could send information out through its speakers that a microphone elsewhere could hear. It could flash its screen in binary in the middle of the night that someone outside the building might see through a window. It can raise and lower its power usage through various means that might be detected at the power feed. There was even an article a month ago talking about changing the heat output of the air-gapped machine that could be detected by the thermal sensors in a nearby computer. And there are even more that I won't go into.
  
  So there are ways to send information out even if the USB drive doesn't leave.
7. Re:No mention of getting data out by ScentCone · 2015-04-13 03:54 · Score: 3, Insightful
  
  Sure, but something like that doesn't HAVE to, in order to still be a significant (and possibly lethal) PITA.
  
  --
  Don't disappoint your bird dog. Go to the range.
8. Re:No mention of getting data out by dkman · 2015-04-13 04:26 · Score: 2
  
  You're a scary individual, but I like the way you think.
  
  --
  I refuse to sign
9. Re:No mention of getting data out by Lumpy · 2015-04-13 04:28 · Score: 5, Interesting
  
  dont have to dial home. Look for new incoming infections to carry the new commands.
  You attack an airgapped but human vulnerable systems like you send probes to outer space. You keep sending them in hopes that one reaches it's target. Anything after you send with the same hopes but with new commands for anything that may have made it there.
  and airgapped can have a reverse comms channel you just need to be clever in finding that channel. Attacking a science facility? You had to target a scientist to get it in there, so target that same person as the outgoing data stream. all you need is YES/NO data. so alter their data that they would communicate back out manually.
  Pop up a typical windows error, "CAUTION ID10T ERROR OK/RETRY" They will report that back to IT via their email that you are watching. There is your return data channel.
  
  --
  Do not look at laser with remaining good eye.
10. Re:No mention of getting data out by The-Ixian · 2015-04-13 05:09 · Score: 1
  
  Do you need some sort of auto-run action upon insertion of the USB stick in order for this to work?
  
  Seems crazy that you would have a policy to automatically execute anything.
  
  --
  My eyes reflect the stars and a smile lights up my face.
11. Re:No mention of getting data out by pscottdv · 2015-04-13 05:24 · Score: 1
  
  http://www.wired.com/2014/10/c...
  
  --
  this signature has been removed due to a DMCA takedown notice
12. Re:No mention of getting data out by Ungrounded+Lightning · 2015-04-13 08:11 · Score: 1
  
  It can do bursts of computation, memory access, or anything else that varies the amount you wiggle voltages or currents on wires in a way that emits radio waves. You can do it without even trying (which is one way some smartcards exposed private keys ...).
  In the days of CRTs that applied especially well: Graphics output could modulate the beam and generate a LOT of radio. (Doing gray scales by making shifting fine patters would be an especially "in your face but you can't see it" approach.) A fast photocell could read it from the light, as well.
  Preventing / shielding against things like this is what "Tempest" is about.
  I recall, back in the late '60s / early '70s, when I was doing software on a machine at a classified site. It had a music program that worked by wiggling the lines on three console display lamps that were also connected, by three resistors (forming a cheap D2A converter) to a volume control T-pad and a loudspeaker. Turns out it also modulated the memory access and/or other signals - a lot. I had left it playing "moon river" overnight, drove up to the building, and heard it on my A.M. radio.
  I realized it would have been trivial to exfiltrate a small amount of data, even on my starving student budget, by emulating an FSK modem and hooking a transistor radio to a battery-powered tape recorder (about the size of a briefcase in those days) left in the trunk of my car. (Not that I'd have needed to, since I could carry mag tapes in and out, but as a "white hat", how could it be done, exercise.)
  The security guys figured that out, too. A bit later I got a ping from management: Some guys from Washington had also driven up, noticed the arcade-quality "music", and given them grief about it.
  
  --
  Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
13. Re:No mention of getting data out by rtb61 · 2015-04-13 12:48 · Score: 1
  
  That is not technically correct, as a proper air gapped network should not have any means to digitally add data other than via secured, monitored and filtered access points. So failures in air gap system design are obvious, still live wireless hardware, unconditioned power feeds and local terminals with poor input control methods. The untoward access to a properly designed air gapped network should be via corruption of personal and that data should only be copied and removed in hard copy form or be added manually, except at the specific control point for the digital addition or removal of data. That power supply can be a real problem for bringing bad data into an air gapped network but it requires that the hardware in the network has already been compromised. Of course with so much stuff sourced from China in the blind US rush for greed, that is likely to have occurred. Now with lots of government three letter agency attacks hidden behind false flag terrorism, yep, sure a bunch of goat herders in a cave brought down a commercial broadcast network (lies work best when you can silence the truth, even just temporarily, until the bulk of the killing is over). So bad people in positions of trust will always be the greatest problem and of course for the spy agencies psychopaths make the best agents, that shameless lying works well for them, or does it?!?.
  
  --
  Chaos - everything, everywhere, everywhen
14. Re:No mention of getting data out by drkim · 2015-04-14 21:05 · Score: 1
  
  ...even if I managed to get my malware on a machine and then somehow got the sensitive data onto some sort of external media, I still don't have anything useful.
  Unless the hack on that USB stick forces the target machine to start radiating data on RF via its monitor or other peripherals.
  Those radiations could then be read from an external pickup.
  "Van Eck phreaking is a form of eavesdropping in which special equipment is used to pick up side-band electronic-magnetic emissions from electronics devices that correlate to hidden signals or data for the purpose of recreating these signals or data in order to spy on the electronic device. Side-band electromagnetic radiation emissions are present in, and with the proper equipment, can be captured from keyboards, computer displays, printers, and other electronic devices."
  http://en.wikipedia.org/wiki/V...
.....this is news? by ilsaloving · 2015-04-13 03:16 · Score: 4, Interesting

The group designed malware components with worm-like capabilities that can infect removable drives such as USB sticks and hard drives. Those devices can transfer the malware if connected to a device on an air-gapped network.
Um... welcome back to the 80s and 90s?
1. Re:.....this is news? by wren337 · 2015-04-13 04:19 · Score: 2
  
  I worked at an online real-estate service in the early 90's, we let realtors mail us floppy disks that our VB app had written listing information onto. One of our jobs was to run through the stack of floppies in the mail every day. So many viruses. People really were clueless about AV protection and were just swapping disks.
2. Re:.....this is news? by sudon't · 2015-04-13 06:19 · Score: 1
  
  Ah, yes. I remember well, sticking a floppy into a rent-a-Mac at the local copy shop, and watching the virus scan.
  
  --
  -- sudon't
  Air-ride Equipped
I wonder... by Flavianoep · 2015-04-13 03:29 · Score: 1

If the machines are air-gapped, how are their software updated?

--
Linux is for people who don't mind RTFM.
1. Re:I wonder... by ageoffri · 2015-04-13 03:33 · Score: 1
  
  Scrutinize software updates and reduce the risk that the software will introduce additional risks. Utilize the sneaker net with some sort of portable media. Perform updates on air-gapped machines. Destroy portable media.
  
  --
  -- Slashdot, making the Left look conservative since 1997.
2. Re:I wonder... by rahvin112 · 2015-04-13 03:40 · Score: 1
  
  It's not hard to download the updates from a secure isolated computer burn them to disc and transfer them to an administration machine on the closed network. Ideally this machine would be locked down so heavily to be near unusable so its chance of compromising is reduced. Along with audits before and after downloading.
  The NSA sets the DOD's policies on this stuff, and they wrote the book on compromising systems.
3. Re:I wonder... by Anonymous Coward · 2015-04-13 04:00 · Score: 1
  
  If the machines are air-gapped, how are their software updated?
  If the computer is air-gapped and only connected to an internal network that is isolated from any other network which might have Internet connectivity, there is no reason to update software on a regular basis. If you only create documents and are using WordPerfect and print all documents for dissemination why would you update or change the word processing software?
4. Re:I wonder... by Chris+Mattern · 2015-04-13 04:08 · Score: 1
  
  And the answer is, they are not air-gapped during the update procedure, which thus must be carefully controlled Updates tend not to happen often in such evironments, for exactly that reason.
5. Re:I wonder... by Migraineman · 2015-04-13 04:28 · Score: 2
  
  This only works if the userbase is 100% cooperative. My observation is that if something is inconvenient, there is incentive to route around it. Good security procedures are necessarily inconvenient. Further, when you add the imperfectness of the meatbag into the system, it's all too easy to accidentally bring a cell phone into a secure area, or to miss the CD-R in the stack of benign papers that gets taken out of the secure area.
6. Re:I wonder... by Hamsterdan · 2015-04-13 05:11 · Score: 1
  
  a:\update.exe
  
  --
  I've got better things to do tonight than die.
7. Re:I wonder... by PPH · 2015-04-13 12:30 · Score: 1
  
  With floppies.
  
  --
  Have gnu, will travel.
Re:Stuxnet by dunkindave · 2015-04-13 03:48 · Score: 1

Stuxnet was first therefore title should say, Chinese are following US footsteps, or Chinese are caching up to Americans, etc.
Getting malware onto air-gapped machines through covert means predates stuxnet by a large amount (decades), with the Russians being one of the earliest practicers.
Note to the terminology-impaired by Chris+Mattern · 2015-04-13 04:06 · Score: 3, Informative

If you can stick foreign media into it, it's not airgapped.
1. Re:Note to the terminology-impaired by DigiShaman · 2015-04-13 05:14 · Score: 1
  
  Depends on what side of the network you're on. If some fucking moron picks up a bright lime green USB thumb drive laying in the drive way, brings it inside, and plugs it in out of curiosity, what are you going to do after the fact? Yeah, you now fired that individual. Meanwhile, a trojan virus (in the true sense of the world) has been introduced inside the network.
  
  --
  Life is not for the lazy.
2. Re:Note to the terminology-impaired by Ralph+Wiggam · 2015-04-13 05:47 · Score: 1
  
  Sure it is. An "air gap" is a network configuration- e.g. there is no wire connecting the network to the outside world.
  I have heard that many air gapped networks also put super glue in the USB ports, but that's not required.
3. Re:Note to the terminology-impaired by Chris+Mattern · 2015-04-13 06:12 · Score: 1
  
  Sure it is. An "air gap" is a network configuration- e.g. there is no wire connecting the network to the outside world.
  Wrong. An "air gap" is a *network and system* configuration. There is no *nothing* connecting the system/network to the outside. If there isn't air between hardware and *any* outside media, network or otherwise, there isn't an air gap.
4. Re:Note to the terminology-impaired by Chris+Mattern · 2015-04-13 06:14 · Score: 1
  
  Yes it is. Otherwise, you would never get a single computer on that network. At some point you *have* to bring something into the area.
  Correct. And at that point, the system is not airgapped. It will be airgapped once installation is complete and system sealed.
5. Re:Note to the terminology-impaired by Ralph+Wiggam · 2015-04-13 07:43 · Score: 1
  
  So workstations on an airgapped network can never get software upgrades?
6. Re:Note to the terminology-impaired by Anonymous Coward · 2015-04-13 08:22 · Score: 1
  
  Sure it is. An "air gap" is a network configuration- e.g. there is no wire connecting the network to the outside world.
  Wrong. An "air gap" is a *network and system* configuration. There is no *nothing* connecting the system/network to the outside. If there isn't air between hardware and *any* outside media, network or otherwise, there isn't an air gap.
  No, this is not the accepted industry definition of air gapped systems. Most air gapped systems needs some way of receiving updates to the code they are running or export/import changes to data sets. But USB sticks is probably the most dangerous method you could choose for this, CD would be better.
7. Re:Note to the terminology-impaired by Chris+Mattern · 2015-04-13 08:27 · Score: 1
  
  So workstations on an airgapped network can never get software upgrades?
  Correct. The system would have to have its airgrapped status stand down temporarily to perform the upgrade. Which is one reason that upgrades on such systems are rarely done.
8. Re:Note to the terminology-impaired by edtice1559 · 2015-04-13 08:31 · Score: 1
  
  The updates would be brought in via approved media. That media would never leave the secure facility.
9. Re:Note to the terminology-impaired by Anonymous Coward · 2015-04-13 08:36 · Score: 1
  
  Yes it is. Otherwise, you would never get a single computer on that network. At some point you *have* to bring something into the area.
  Correct. And at that point, the system is not airgapped. It will be airgapped once installation is complete and system sealed.
  The operating level is airgapped.
  Stop being *that guy* who wants to nitpick this shit down to maintenance-level support for offline systems. The fucking power cord means it's "online" if you can build sensors that detect varying levels of voltage. Same goes for RF bleed if you've not built TEMPEST shielding around the hardware.
Sometimes it's not. by Anonymous Coward · 2015-04-13 04:10 · Score: 1

We've got systems where the software is simply frozen.
Re:Stuxnet by halivar · 2015-04-13 04:18 · Score: 2

Wasn't the first practitioner a computer store in Pakistan? Your computer would just display a message saying, "to fix this message, $$$ to this computer store in Pakistan" or something to that effect. Even had their name in it and everything.
Is a water gap by dkman · 2015-04-13 04:22 · Score: 1

I would link a picture of a castle with a moat but I'm too lazy.

Air is so passe.

--
I refuse to sign
Re:Stuxnet by halivar · 2015-04-13 04:23 · Score: 2

Ah, here it is. Even better that it was accidental.
Re:Stuxnet by arth1 · 2015-04-13 04:35 · Score: 1

Chinese are caching up to Americans, etc.
Hopefully not using nginx.
Been there, done that by __aabppq7737 · 2015-04-13 05:01 · Score: 1

Next up: paper and pencil espionage.
Advanced hacking group likely aligned with China? by DougPaulson · 2015-04-13 09:31 · Score: 1

"An otherwise unremarkable hacking group likely aligned with China appears to be one of the first to have targeted so-called air-gapped networks that are not directly connected to the Internet, according to FireEye"

What evidence does FireEye have that 'China' is behind this and why don't you mention that the main technology required in order to facilitate crossing the 'air-gapped networks', is a portable USB device, malicious email attachments and Microsoft Windows.
Not only that, but.... by anwyn · 2015-04-13 09:43 · Score: 1

they also have all the emails Hillary told you she deleted!
Or data to be processed? by Ungrounded+Lightning · 2015-04-13 10:15 · Score: 1

So workstations on an airgapped network can never get software upgrades?
Or data to be processed?

--
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way