In September 2015, Kaspersky Lab’s Anti-Targeted Attack Platform flagged an unusual feature in the network of a client organization. The anomaly led researchers to ‘ProjectSauron’, a nation-state threat actor attacking state organizations with a unique set of tools for each victim, making traditional indicators of compromise almost useless. The aim of the attacks appears to be mainly cyber-espionage.
ProjectSauron is particularly interested in gaining access to encrypted communications, hunting them down using an advanced modular cyber-espionage platform that incorporates a set of unique tools and techniques. The most noteworthy feature of ProjectSauron’s tactics is the deliberate avoidance of patterns: ProjectSauron customizes its implants and infrastructure for each individual target, and never reuses them. This approach, coupled with multiple routes for the exfiltration of stolen data, such as legitimate email channels and DNS, enables ProjectSauron to conduct secretive, long-term spying campaigns in target networks.
ProjectSauron gives the impression of being an experienced and traditional actor that has put considerable effort into learning from other extremely advanced actors, including Duqu, Flame, Equation and Regin; adopting some of their most innovative techniques and improving on their tactics in order to remain undiscovered.
ProjectSauron tools and techniques of particular interest include:
To date, more than 30 victim organizations have been identified in Russia, Iran and Rwanda, and there may be some in Italian-speaking countries. We believe many more organizations and geographies are likely to be affected.
Based on our analysis, targeted organizations generally play a key role in providing state services and include:
Forensic analysis indicates that ProjectSauron has been operational since June, 2011 and remains active in 2016. The initial infection vector used by ProjectSauron to penetrate victim networks remains unknown.
“A number of targeted attacks now rely on low-cost, readily-available tools. ProjectSauron, in contrast, is one of those that relies on homemade, trusted tools and customizable scripted code. The single use of unique indicators, such as control server, encryption keys and more, in addition to the adoption of cutting edge techniques from other major threat actors, is rather new. The only way to withstand such threats is to have many layers of security in place, based on a chain of sensors monitoring even the slightest anomaly in organizational workflow, multiplied with threat intelligence and forensic analysis to hunt for patterns even when there appear to be none,” said Vitaly Kamluk, Principal Security Researcher at Kaspersky Lab.
The cost, complexity, persistence and ultimate goal of the operation: stealing confidential and secret information from state-sensitive organizations, suggest the involvement or support of a nation state.
Kaspersky Lab security experts advise organizations to undertake a thorough audit of their IT networks and endpoints and to implement the following measures:
The full report on ProjectSauron has been made available to customers of Kaspersky Lab APT Intelligence reporting service in advance. Learn more at: http://www.kaspersky.com/enterprise-security/apt-intelligence-reporting.
All Kaspersky Lab products detect ProjectSauron samples as HEUR:Trojan.Multi.Remsec.gen
To learn more about ProjectSauron, read the blogpost on Securelist.com.
Learn more about how Kaspersky Lab products can protect users from this threat.