back to article Russian "Pawn Storm" expands, rains hell on NATO, air-gapped PCs

One of the most prolific and capable Russian malware groups is using a rare module to infect USB sticks and hose air-gapped machines in defence industry organisations. The group, known as "Sofacy" or "Pawn Storm" has been ripping into air gap defence organisations since at least August, demonstrating its skills using zero day …

  1. Peter 26

    How do you get the data out?

    Can anyone explain what these hackers are actually doing once they get in to the air gapped network?

    With the network being air gapped it must be very hard to get the data out, examine the system, do anything really as you have no feedback?

    I can understand attacking the air gapped nuclear centrifuges, because you don't need to get any data out...

    1. Anonymous Coward
      Anonymous Coward

      Re: How do you get the data out?

      Not any area of expertise on my part, but if you think about it, then if you can infect, you've proven that flash drives are being plugged into air gapped machines and if idiots are plugging flash drives into air gapped machines, then they are certainly using them in web-connected machines. If you can compromise the air-gapped network security, then next time an infected drive is connected, it can be used to transport data out, and send that off when connected to the internet?

      1. Anonymous Coward
        Anonymous Coward

        Re: How do you get the data out?

        So the attack has to be targeted enough to be able to get the relevant information out on a USB stick? That's an interesting idea but it doesn't sound like a massive security hole, you'd have to have a pretty clear idea of what was running on the airgapped box in the first place to be able to target it effectively. Wherever that knowledge came from is a more pressing security problem.

        1. Trevor_Pott Gold badge

          Re: How do you get the data out?

          Why?

          Hoover up all .doc, .pdf. ppt etc files with various keywords. Copy over all database files you can find. Anything that looks like it contains password info and encryption keys.

          After that's done, copy over any .doc, .pdf .ppt files that didn't match your filters. If you still have space, copy over any encrypted files too. Do this all as copies to a shadow file system that the OS isn't aware of so nobody sees you filling up the drive. If someone copies something over then the OS overwrites some of the stuff your bots got. Oh well. The rest of it will get fired up to you ASAP and you recover what you can.

          Anyone who has done data recovery from a crashed drive will probably begood at guessing what's important, even without seeing the system.

          1. Anonymous Coward
            Anonymous Coward

            Re: How do you get the data out?

            I would love to learn of some shadow filesystems (compatible with Windows and NTFS) like you describe, as they'll be more plausibly deniable than current encrypted filesystems.

            1. Trevor_Pott Gold badge

              Re: How do you get the data out?

              Well, by definition they wouldn't be "compatible with Windows and NTFS" in that they wouldn't be mountable by Windows. You would have to have code that read those filesystems and them mounted them. I don't know of any commercial ones off the top of my head, but I have written several in my day.

              The keys to making it work are as follows:

              1) Identify which blocks are currently marked as "not in use" by the primary file system. Write your data to those blocks.

              2) Develop your filesystem such that you write the file metadata with the data. This allows the primary file system to overwrite blocks you have used and you can still extract data from the blocks that haven't been overwritten. This "store metadata with the data" trick is frequently used in today's object storage filesystems, and it is quite possible one of the open source ones could be modified for this purpose without too much effort.

              3) Be very aware of the restrictions of writing to USB flash drives. Study Reduced Block Commands and do a lot of testing to make sure that you can reliably write to the blocks that are actually the ones identified by the file system as "not in use" instead of writing to the blocks as innumerate by the controller. Many USB devices are FAT aware and so actually lie to the FAT filesystem as part of their wear-levelling. (This is very rare, and only seen in really high-end stuff.)

              Back in the day, when I tried to do this stuff, Truecrypt's hidden partitions barely worked on metal, let alone flash, so I rolled my own. Given that you can now "hide" Truecrypt partitions on things, I am sure that there is lots of code to look at which might show the "how" without having to go too "dark net".

              1. Your alien overlord - fear me

                Re: How do you get the data out?

                There is the inbuilt one Microsoft uses. Can't remember what it's called (not shadow copy) but it writes hidden stuff to disks formatted with NTFS. Used in audit control/user locking or something.

              2. Charles 9 Silver badge

                Re: How do you get the data out?

                "Well, by definition they wouldn't be "compatible with Windows and NTFS" in that they wouldn't be mountable by Windows."

                As in they'll work with the right program, a la TrueCrypt/VeraCrypt. And it would require a driver-like low-level interface to interact with the devices at the block level (like a low-level Hex Editor). And of course it would have to employ a robust encryption system throughout so that at the least contents can't be easily seen. Additional work would be needed to conceal the fact a secret filesystem is being used (namely, writing random data into all free space in the drive before creating it; that way you have the excuse of cleaning up the drive prior to reusing it, excusing the proliferation of random-looking data in the free space).

        2. Martin-73 Silver badge

          Re: How do you get the data out?

          Just a thought exercise, but I wonder if it would be possible to develop software (malware) that would infect airgapped networks via this USB trick, but also be aware of modems (I would imagine a good few computers have them still for fax capability?) and dial out to a (for added bonus, premium rate) number of the bad guy's choosing ?

          1. Anonymous Coward
            Anonymous Coward

            Re: How do you get the data out?

            If there's a comms device of any kind on the machine, then it's not airgapped by definition. Airgapping means the ONLY way to transfer data to and from it is by Sneakernet. In any event, firing up a dialup modem which rarely gets used will probably raise a red flag. Plus it'll get the phone companies involved with tracing the call.

            1. Trevor_Pott Gold badge

              Re: How do you get the data out?

              If it has a speaker and a microphone it has a comns system, so long as another system I can pwn also have a speaker and microphone. I can also use LEDs and cameras. Throughput is another question entirely...

    2. WatAWorld

      Re: How do you get the data out?

      As well as sending data back out the way by USB stick or optical disk, you can take over an infected machine to have it emit strong electromagnetic pulses to a monitoring device. It could do this either directly or through a peripheral device. It is a slower means of transmission, but it works.

      1. Captain DaFt

        Re: How do you get the data out?

        "you can take over an infected machine to have it emit strong electromagnetic pulses to a monitoring device."

        Fun little demo here: https://youtu.be/1I8GlINuhCY

        Program here: http://www.erikyyy.de/tempest/

        Uses a monitor to transmit an MP3 file to an AM radio. Old stuff, been done for years.

  2. Destroy All Monsters Silver badge
    Trollface

    "JHUHUGIT" sounds like a new meme

    Also, why is there a photo of St. Basil's cathedral?

    Are the hackers operating from its crypt?

  3. Anonymous Coward
    Anonymous Coward

    Well done NATO!

    NATO countries have an aggregate annual defence budget of around $1 trillion each year (and that doesn't include intelligence services and homeland defence etc). Which rather begs the question why the defence sectors of those countries are using commercial closed-source cr@pware, notorious for vulnerabilities and security problems for decades?

    How much would it cost to take a Linux distro, and make that as near secure as you'd ever get by scrutinising every single line of code? For 0.05% of the annual NATO defence budgets you'd have $500m as a starting fund....

    1. Anonymous Coward
      Anonymous Coward

      Re: Well done NATO!

      >Which rather begs the question why the defence sectors of those countries are using commercial closed-source cr@pware

      They're not - they're using commercial open-source cr@pware - Govs get source code access to MS products under GSP for instance.

      1. WatAWorld

        Re: Well done NATO!

        Linux has a history of having bugs resident for decades before someone stumbles upon them.

        That shareware has many friendly qualified expert white-hat eyes exhaustively scanning it for bugs is a MYTH.

        Shareware typically has barely enough minimally qualified experts to write the code -- ask Torvalds how lousy some of his authors are! Professionals don't work for free. And the bean counters who run companies say to freeload whenever you can.

        The thing is there have been far more eyes looking for vulnerabilities in Windows than have been looking for vulnerabilities in Linux or OS X, hackers, banks, governments, militaries, spy agencies, other vendors, plus MS itself.

        Windows has had its security far more professionally analyzed than any other operating system.

        Sure there are more off-the-shelf exploits for going after Windows, but if you're a bank, government or military, it is newly invented custom-written exploits that are the big danger, and it is much easier for corporate spies and intelligence agencies to invent a new custom-written exploit for Linux and OS X than Windows.

    2. TeeCee Gold badge
      Facepalm

      Re: Well done NATO!

      FFS, give that one a rest! It's bollocks.

      The pros all say that if you really want to find vulns in Open Source software, techniques such as fuzzing are the way to go[1]. Scrutinising code only serves to give you a headache. It might find a known vuln type squirreled away somewhere that nobody's thought to look for it before, but it won't find that new attack vector[2] that's the holy grail here.

      [1] And a consistent detection approach that works on all software is the better way anyway.

      [2] 'Cos you don't know what to look for, of course!

      1. Anonymous Coward
        Anonymous Coward

        Re: Well done NATO!

        techniques such as fuzzing are the way to go

        Nothing wrong with that as a testing method, but it doesn't take away the fact that the code should be properly written and inputs properly constrained. If you think about the core OS and application vulnerabilities, a huge proportion of these are buffer mismatches, integer overflows, or string format risks. These are almost all because underlying code is poorly written without sufficient field validation for both user input and registers. How basic is that? And that's what needs fixing.

        <owld git mode>

        Back in t'day when I worked on sharp end military systems, the code was written on the basis that at any stage you always handled unexpected input gracefully and securely. And unexpected meant any input or register not within the parameters that the code is intentionally handling. It can be done, I've done it, I'm sure you've done it. But the problem is that commercial software is usually written on the cheap, with cheap or non-existent quality control, and the only fix is rewriting the dodgy bits one line at a time.

        </owld git mode>

        1. Anonymous Coward
          Anonymous Coward

          Re: Well done NATO!

          "Back in t'day when I worked on sharp end military systems, the code was written on the basis that at any stage you always handled unexpected input gracefully and securely. And unexpected meant any input or register not within the parameters that the code is intentionally handling."

          But the imagination can only go so far. There's unexpected input, and then there's unexpected expected input. IOW, input that's within the parameters strictly speaking but still construed such that it can go wrong simply by it doing its intended purpose. There's little you can do about these kinds of problems because the programs can't see beyond their scope but a malware author can. Thus why you have things like Return-Oriented Programming where actual pieces of existing code are cobbled together just so to create havoc. It's like a farmer taking the fertilizer and diesel he uses everyday and making homemade ANFO with it instead.

  4. Steve Davies 3 Silver badge

    so no computer system is safe then?

    If it runs windows, java or flash and has USB connectivity...

    Suddenly those mainframes running CICS seem rather more attractive. There has to be a downside somewhere?

    1. Warm Braw Silver badge

      Re: so no computer system is safe then?

      There has to be a downside somewhere?

      Yep, you have to learn PL/1.

  5. chivo243 Silver badge
    Headmaster

    Flash on Industrial gear?

    Why? Yes, I am clueless in this area.

  6. Pen-y-gors Silver badge

    Ah the irony of it...

    a little earlier we had the story of Obama wanting back holes in encryption software to thwart terrorism. Governments are really trying to be the hackers' friend, aren't they.

    And does a cyber-ttack on NATO count as terrorism? (Most things do these days - PICK UP THAT LITTER!) If so, can NATO use drones to hit the hacker?

    1. Destroy All Monsters Silver badge

      Re: Ah the irony of it...

      Dear Anti-Citizen.

      It was "PICK UP THAT CAN"

  7. WatAWorld

    Opposing militaries and governments are legitimate intelligence targets

    Despite the ideas of some government leaders and militaries, exceptionalism, whether by the USA or USSR, er Putin's Russia, is simply hypocrisy by rogue states. The only exceptional thing about these countries are that they are more rogue than most.

    Opposing militaries and governments are legitimate intelligence targets. Angela Merkel may think she is the only German citizen who deserves privacy, but I have no problem with opposing governments spying on our government or our government spying on opposing governments.

    Spying on allied militaries and governments is debatable, but it ultimately depending on what is mutually agreed. If we can spy on them, then they can spy on us.

    It is the definition of hypocrisy for us to complain about them doing to us what we do to them.

    However, the peaceful civilian population of ones own country is NOT a legitimate intelligence target.

    It is not legitimate for Russia to spy on peaceful Russians. Likewise it is not legitimate for our governments to spy on our peaceful citizens.

    How are western countries to ever hope to maintain democracies once their intelligence 'services' have transformed them into Chekist states, states where the intelligence agencies can blackmail, er uh, 'successfully intimidate' every prospective politician.

  8. CAPS LOCK Silver badge

    Why, if you must have open USB ports, would you have autorun on...

    ... or have data files on the USB sticks that are 'executed'? Justaskin'

    1. Bc1609

      Re: Why, if you must have open USB ports, would you have autorun on...

      Part of the fun of this kind of thing is finding out how code was run from the USB without autorun. IIRC Stuxnet managed it by exploiting an error in the display of shortcut icons, allowing malicious USB drives to run code whenever the files were viewed (not opened) in Windows Explorer.

      Of course, you can also reprogram the USB controller chip so that it appears to be a keyboard or network adapter or what have you. And then there are all the zero-days we just don't know about. Fun fun fun.

      1. chivo243 Silver badge

        Re: Why, if you must have open USB ports, would you have autorun on...

        So, would a portable optical drive with a write once optical disk help in this situation? I've not worked in an environment that required air gapping.

        1. Anonymous Coward
          Anonymous Coward

          Re: Why, if you must have open USB ports, would you have autorun on...

          The trick with airgapping is that the only way to transfer stuff is by sneakernet. Which means you need a way to get data in and out so as to employ Sneakernet. Now, since this data can be sizeable and of a nature not conducive to human memory, you pretty much have to leave either a USB port or memory card slot open (and in terms of exploiting, the two are more or less interchangeable). And since the sole means to transfer your data is also a means of infection, you're kinda up crap creek. You can't even use a more-limited USB system driver since one of the infection vectors is to pretend to be a keyboard, and you need a keyboard to use a computer, you're SOL.

  9. Your alien overlord - fear me
    Trollface

    Why don't we asked that nice Mr Putin who is doing it? He's monitoring everything in mother Russia so he's bound to have a good idea who the culprits are!!!

    1. Destroy All Monsters Silver badge
      Trollface

      Give him a rest.

      He just gave a dossier about ISIS smuggling oil into Turkey, of which the US was TOTALLY UNAWARE and which is UNIMPORTANT IN ANY CASE and WE WILL BEGIN BOMBING IN FIVE MINUTES TO MAKE UP FOR IT, the poor sods (sounds like the time when no-one actually saw that Buk rolling around except people who apparently are used to snapping Sasquatsh judging by the photographic quality, really bizarre)

      1. Anonymous Coward
        Anonymous Coward

        Sorry, not entirely true

        We knew ISIS was already smuggling oil, but the fact is that the Liar in Chief got showed up by Hollande and joined in the bombing. But prior to that, the Wimp in Chief wouldn't even let US forces bomb the ISIS oil transport trucks because the drivers were "not ISIS combatants".

        How do you tell the difference? Here's a clue, if they are driving an enemy vehicle, they are the enemy.

  10. herman Silver badge

    Just to name one example: Think of the Battle Star Galactica and the Cylons. Air gapped machines are used to prepare military plans. These machines may need to get weather data, which is distributed on removable media. The media is scanned on a dedicated air gapped threat scanning machine, and if that machine gets compromised, then the infection can spread quickly.

  11. Tim99 Silver badge
    Coat

    Lessons from the past

    How about we all go back to green screens and plain text files? Or for the casual user a teletype terminal?

    Mine's the one draped over the chair in front of the VT52 >>=========>

  12. Anonymous Coward
    Anonymous Coward

    Air is not a vacuum

    Where there is IO there is hope.

    That LiFi stuff sounds interesting, I always thought the flashing leds were a good way out, hell with a couple to modulate you could probably map the room and inhabitants.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020