In the first half of 2020, four malicious frameworks designed to attack air-gapped networks were detected, bringing the total number of such toolkits to 17 and offering adversaries a pathway to cyber espionage and exfiltrate classified information.
These frameworks are designed to perform some form of espionage. These frameworks used USB drives as the physical transmission medium to transfer data in and out of the targeted air-gapped networks.
Air-gapping is a network security measure designed to prevent unauthorized access to systems by physically isolating them from other unsecured networks, including local area networks and the public internet. This also implies that the only way to transfer data is by connecting a physical device to it, such as USB drives or external hard disks.
Given that the mechanism is one of the most common ways SCADA and industrial control systems (ICS) are protected, APT groups that are typically sponsored or part of nation-state efforts have increasingly set their sights on the critical infrastructure in hopes of infiltrating an air-gapped network with malware to surveil targets of interest.
- Automated execution: the malicious code gets executed without any user intervention. This entails the exploitation of some vulnerability, the most famous one being CVE-2010-2568, aka the “Stuxnet LNK exploit”.
- Non-automated execution (unknowingly triggered): the malicious code execution depends on tricking an unsuspecting legitimate user into executing the malicious code on the target system. This can be performed by planting a compromised decoy document or a trojanized software installer on the USB drive, for example.
- Non-automated execution (deliberately performed): the malicious code is hidden on the USB drive and needs to be deliberately executed by a human actor with physical access to the target system.
The major reason of creation of these attack vectors is to attack Windows-based operating systems, 75% of all the frameworks were found leveraging malicious LNK or Autorun files on USB drives to either carry out the initial compromise of the air-gapped system or to move laterally within the air-gapped network.
Some frameworks that have been attributed to well-known threat actors are as follows
- Retro
- Ramsay
- USBStealer
- USBFerry
- Fanny
- USBCulprit
- PlugX
- Agent.BTZ
Each framework has devised their own ways, but they all have one thing in common: with no exception, they all used weaponized USB drives. The only difference between connected and offline frameworks is how the drive is weaponized in the first place.
The connected frameworks work by deploying a malicious component on the connected system that monitors the insertion of new USB drives and automatically places the attack code needed to compromise the air-gapped system, offline frameworks like rely on the attackers deliberately infecting their own USB drives to backdoor the targeted machine.
Organizations with critical information systems and sensitive information are recommended to prevent direct email access on connected systems, disable USB ports and sanitize USB drives, restrict file execution on removable drives, and carry out periodic analysis of air-gapped systems for any signs of suspicious activity.
Maintaining a fully air gapped system comes with the benefits of extra protection. But just like all other security mechanisms, air gapping is not a silver bullet and does not prevent malicious actors from preying on outdated systems or poor employee habits.
