Slashdot Mirror
Chinese Hacker Group Targets Air-Gapped Networks
itwbennett writes An otherwise unremarkable hacking group likely aligned with China appears to be one of the first to have targeted so-called air-gapped networks that are not directly connected to the Internet, according to FireEye, which released a 69-page technical report on Sunday on the group. FireEye picked up on it after some of the malware used by the group was found to have infected defense-related clients in the U.S., said Jen Weedon, manager of strategic analysis with FireEye.
is a bigger gap!
“He’s not deformed, he’s just drunk!”
The group designed malware components with worm-like capabilities that can infect removable drives such as USB sticks and hard drives. Those devices can transfer the malware if connected to a device on an air-gapped network.
Um... welcome back to the 80s and 90s?
you can bring your USB drive into the secure area, but it can't be removed ... I still don't have anything useful
Stuxnet wasn't all about "getting anything out," either.
Don't disappoint your bird dog. Go to the range.
I think they are relying on people to accidentally forget to confiscate the devices when leaving secure areas or the malware is waiting for some other way to communicate out of the network. Recently, a researcher showed how he was able to move data (albeit, very slowly) between two air-gapped machines just using temperature changes of both infected machines. Something using built-in speakers and mics of two machines could also move data using ultrasonic audio. If this is a targeted attack looking for a specific piece of information, a private key perhaps, you wouldn't need to transfer the information very long before someone notices.
All of these air-gapped exploits pretty much rely on people clicking things they shouldn't or plugging things in to other things they shouldn't but the hard part is getting back out of the air-gapped network.
It seems that this group managed to spread their malware via USB sticks. The modern equivalent of floppy disk viruses. But in all of the classified networks that I've seen, you can bring your USB drive into the secure area, but it can't be removed. So even if I managed to get my malware on a machine and then somehow got the sensitive data onto some sort of external media, I still don't have anything useful. Not that I wouldn't want to defend against the malware, but it seems that the air gap really is doing it's job.
This may be true of the systems you have worked on, but it isn't true of all classified systems.
If a classified system is approved for trusted downloading, then it is enabled for certain data to be passed to and from that air-gapped system, usually via optical drive, but other means(USB, floppy) are not unheard of.
Let's put this another way. Ongoing development that also includes attacks on air-gapped systems would not be ongoing if there were no viable methods of attack. That would be rather pointless.
It seems that this group managed to spread their malware via USB sticks. The modern equivalent of floppy disk viruses. But in all of the classified networks that I've seen, you can bring your USB drive into the secure area, but it can't be removed. So even if I managed to get my malware on a machine and then somehow got the sensitive data onto some sort of external media, I still don't have anything useful. Not that I wouldn't want to defend against the malware, but it seems that the air gap really is doing it's job.
There are ways for a machine to transmit information other than a wire, that can be detected by other devices. The infected air-gapped machine could send information out through its speakers that a microphone elsewhere could hear. It could flash its screen in binary in the middle of the night that someone outside the building might see through a window. It can raise and lower its power usage through various means that might be detected at the power feed. There was even an article a month ago talking about changing the heat output of the air-gapped machine that could be detected by the thermal sensors in a nearby computer. And there are even more that I won't go into.
So there are ways to send information out even if the USB drive doesn't leave.
Sure, but something like that doesn't HAVE to, in order to still be a significant (and possibly lethal) PITA.
Don't disappoint your bird dog. Go to the range.
If you can stick foreign media into it, it's not airgapped.
Wasn't the first practitioner a computer store in Pakistan? Your computer would just display a message saying, "to fix this message, $$$ to this computer store in Pakistan" or something to that effect. Even had their name in it and everything.
Ah, here it is. Even better that it was accidental.
You're a scary individual, but I like the way you think.
I refuse to sign
dont have to dial home. Look for new incoming infections to carry the new commands.
You attack an airgapped but human vulnerable systems like you send probes to outer space. You keep sending them in hopes that one reaches it's target. Anything after you send with the same hopes but with new commands for anything that may have made it there.
and airgapped can have a reverse comms channel you just need to be clever in finding that channel. Attacking a science facility? You had to target a scientist to get it in there, so target that same person as the outgoing data stream. all you need is YES/NO data. so alter their data that they would communicate back out manually.
Pop up a typical windows error, "CAUTION ID10T ERROR OK/RETRY" They will report that back to IT via their email that you are watching. There is your return data channel.
Do not look at laser with remaining good eye.
This only works if the userbase is 100% cooperative. My observation is that if something is inconvenient, there is incentive to route around it. Good security procedures are necessarily inconvenient. Further, when you add the imperfectness of the meatbag into the system, it's all too easy to accidentally bring a cell phone into a secure area, or to miss the CD-R in the stack of benign papers that gets taken out of the secure area.