European govt air-gapped systems breached using custom malware

Given the discipline surrounding most &quot;air gapped&quot; machines I&#x27;ve seen I always find this quote appropriate:<p>&quot;At best, an air gap is a high-latency connection&quot; -Ed Skoudis - DerbyCon 3.0

Reminds me of the time I was looking after a SECURE system: One of the tasks was the daily update of the antivirus. So I would grab the blessed stick, insert it into the Internet-PC, and using FTP would download the latest antivirus update. Then I&#x27;d walk over to the SECURE system, insert the stick, and run the exe from the stick. There, system SECURED for today!<p>Norton, trust no other!

The weak-point is the shared USB device that copies from one machine to another which seems to defeat the whole purpose of being air-gapped - you could have printed-and-OCR&#x27;d data three decades ago so the air-gapped machine is never reading anything from outside at all, these days a video stream and AI could probably automate that?

This is an old attack vector. No one is learning from history. The organizations being hit have poor cybersecurity.<p><a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;2008_malware_infection_of_the_United_States_Department_of_Defense" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;2008_malware_infection_of_the_...</a>

Why would you go through all the hassle of setting up an air-gapped system, only to stop at enforcing strict code signing for any executable delivered via USB?

This does really not deserve a huge writeup.<p>Employees (unknowingly(?)) using infected USB drives caused security problems. Well imagine that.<p>As several others pointed out the USB ports on the secure serfver should all be fullly disabled<p>In addition I would suggest leaving one rewired seemingly availble USB port that will cause a giant alarm to blare if someone inserted anything into it.<p>Further all informatin being somehow fed into the secure machines should be based on simple text based files with no binary components. To be read by a bastion host with a drive and driver that will only read those specific files, that it is able to parse succefully and write it out to the destination target, that I would suggest be an optical worm device that can then be used to feed the airgapped system.

&gt; As was the case in the Kaspersky report, we can’t attribute GoldenJackal’s activities to any specific nation-state. There is, however, one clue that might point towards the origin of the attacks: in the GoldenHowl malware, the C&amp;C protocol is referred to as transport_http, which is an expression typically used by Turla (see our ComRat v4 report) and MoustachedBouncer. This may indicate that the developers of GoldenHowl are Russian speakers.<p>This is quite a stretch. So we have nothing so far.

As soon as the article started describing malware being installed upon insertion of a USB thumb drive, I had to Ctrl-F for &quot;Windows&quot;, and indeed, of course that&#x27;s the OS these machines are running.<p>I&#x27;d be really curious to hear of stories like this where the attacked OS is something a little less predicable&#x2F;common.

Unless I&#x27;m missing something, this doesn&#x27;t rely on something really advanced and low-level like USB drive firmware, but a classic flaw that&#x27;s existed in Windows for almost 30 years:<p><i>It is probable that this unknown component finds the last modified directory on the USB drive, hides it, and renames itself with the name of this directory, which is done by JackalWorm. We also believe that the component uses a folder icon, to entice the user to run it when the USB drive is inserted in an air-gapped system, which again is done by JackalWorm.</i><p>It&#x27;s just another variant of the classic .jpg.exe scam. Stop hiding files and file extensions and this hole can be easily closed.

&gt;Ctrl-f, Windows.<p>Ahem, &quot;air-gapped&#x27;.<p>Any decent Unix system has either udev or hotplug based systems to disable every USB device not related to non-storage purposes. Any decent secure system woudln&#x27;t allow to exec any software to the user beside of what&#x27;s in their $PATH. Any decent system woudn&#x27;t alllow the user to mount external storage at all, much less executing any software on it.<p>For air-gapped systems, NNCP under a secure Unix (OpenBSD with home mounted as noexec, sysctl security tweaks enforcing rules, and such) it&#x27;s godsend.<p>Securelevel <a href="https:&#x2F;&#x2F;man.openbsd.org&#x2F;securelevel.7" rel="nofollow">https:&#x2F;&#x2F;man.openbsd.org&#x2F;securelevel.7</a><p>NNCP <a href="http:&#x2F;&#x2F;www.nncpgo.org&#x2F;" rel="nofollow">http:&#x2F;&#x2F;www.nncpgo.org&#x2F;</a><p><a href="http:&#x2F;&#x2F;www.nncpgo.org&#x2F;" rel="nofollow">http:&#x2F;&#x2F;www.nncpgo.org&#x2F;</a>

Isn&#x27;t this how the stuxnet got into Iranian facilities?

Am I the only one that finds it incredible an air gapped device has enabled USB ports? You want to bring data to it, use a freaking cd&#x2F;dvd-rom. You may bring all sorts of crap in, but if let&#x27;s say the air gapped machine is reimaged from cd&#x2F;dvd every day and nothing ever leaves it, who cares?

I don&#x27;t know anything about security, but why does an airgapped system even have a USB drive? Seems obvious to me that you want to disable all IO systems, not just internet? OK, sure people can still take photos of the screen or something, but that would require a willing collaborator.

You generally want to avoid getting malware into your network, but it is even more important to avoid allowing for exfiltration of data. So the &quot;copy via USB-stick&quot; serves a purpose and makes it MUCH harder to exfiltrate data.

I’m a bit disappointed the mechanism to exfiltrate data is based on sharing the USB between an internet-connected and air gapped devices. It would have been cool if it used some other side channel like acoustic signals.

Wouldn&#x27;t have happened had they used seL4.<p>I&#x27;d hope there&#x27;s some EU investment on it now.

I would bet that those air-gapped systems are running some version of MS windows.

Let me guess. Someone installed a TCP-over-airgap utility.

&gt; This may indicate that the developers of GoldenHowl are Russian speakers.<p>Journalists need to check their biases and ensure that everything they write is balanced. When mentioning that they might be Russian speakers, a good balancing sentence would be to point out countries which use the Russian language. Just throwing in &quot;Russian speaker&quot; after explicitly stating they&#x27;re not sure which nation state did this is extremely unprofessional.<p>Sure, mention all the facts. Don&#x27;t try to interpret them as &quot;clues&quot;. If you have to, make sure you&#x27;re not building a narrative without being absolutely sure.<p>Its not good journalism to go from `transport_http` to indicating that this is an attack by the Russian federation. That&#x27;s not how you do good journalism. How many people will retain the fact that the author does NOT know which, if any, nation state did this?

I&#x27;m actually seeing some organizations deliberately forbidding air-gapped systems. The upsides no longer outweigh the downsides. While the speed at which attacks can be implemented is lower, they are more difficult to detect. An air-gapped system still needs to be updated and policed. So someone has to move data into it, for software updates at least. But the air-gap makes such systems very difficult to monitor remotely. Therefore, once an attack is ongoing it is harder to detect, mitigate and stop.

love it

tldr: The breach relied on careless human(s) using USB key to and from the air-gapped systems. All the clever technology would have been for naught had the staff used robust physical security procedures.