Chinese Hacker Group Targets Air-Gapped Networks

itwbennett writes An otherwise unremarkable hacking group likely aligned with China appears to be one of the first to have targeted so-called air-gapped networks that are not directly connected to the Internet, according to FireEye, which released a 69-page technical report on Sunday on the group. FireEye picked up on it after some of the malware used by the group was found to have infected defense-related clients in the U.S., said Jen Weedon, manager of strategic analysis with FireEye.

What we need

[fustakrakich]

is a bigger gap!

Re:

[Impy the Impiuos Imp]

"Mr. President, we cannot allow an air gap gap!"

Is a water gap

[dkman]

I would link a picture of a castle with a moat but I'm too lazy.

Air is so passe.

Hillarrhea!'s mail server?

[Anonymous Coward]

Haven't they already hacked that?

Re:

[Anonymous Coward]

They probably paid for it. But we'll never know. She wiped the server clean after congress asked he for the emails.

No mention of getting data out

[Ed Tice]

It seems that this group managed to spread their malware via USB sticks. The modern equivalent of floppy disk viruses. But in all of the classified networks that I've seen, you can bring your USB drive into the secure area, but it can't be removed. So even if I managed to get my malware on a machine and then somehow got the sensitive data onto some sort of external media, I still don't have anything useful. Not that I wouldn't want to defend against the malware, but it seems that the air gap really is d

Re:

[turbidostato]

"So even if I managed to get my malware on a machine and then somehow got the sensitive data onto some sort of external media, I still don't have anything useful."

In one acronym: DoS.

Re:No mention of getting data out

[ScentCone]

you can bring your USB drive into the secure area, but it can't be removed ... I still don't have anything useful

Stuxnet wasn't all about "getting anything out," either.

Re:

[Colin Castro]

Stuxnet dialed home everyday for new instructions though.

Re:No mention of getting data out

[ScentCone]

Sure, but something like that doesn't HAVE to, in order to still be a significant (and possibly lethal) PITA.

Re:No mention of getting data out

[Lumpy]

dont have to dial home. Look for new incoming infections to carry the new commands.

You attack an airgapped but human vulnerable systems like you send probes to outer space. You keep sending them in hopes that one reaches it's target. Anything after you send with the same hopes but with new commands for anything that may have made it there.

and airgapped can have a reverse comms channel you just need to be clever in finding that channel. Attacking a science facility? You had to target a scientist to get it in there, so target that same person as the outgoing data stream. all you need is YES/NO data. so alter their data that they would communicate back out manually.

Pop up a typical windows error, "CAUTION ID10T ERROR OK/RETRY" They will report that back to IT via their email that you are watching. There is your return data channel.

Re:No mention of getting data out

[masterofthumbs]

I think they are relying on people to accidentally forget to confiscate the devices when leaving secure areas or the malware is waiting for some other way to communicate out of the network. Recently, a researcher showed how he was able to move data (albeit, very slowly) between two air-gapped machines just using temperature changes of both infected machines. Something using built-in speakers and mics of two machines could also move data using ultrasonic audio. If this is a targeted attack looking for a specific piece of information, a private key perhaps, you wouldn't need to transfer the information very long before someone notices.

All of these air-gapped exploits pretty much rely on people clicking things they shouldn't or plugging things in to other things they shouldn't but the hard part is getting back out of the air-gapped network.

Re:No mention of getting data out

[geekmux]

It seems that this group managed to spread their malware via USB sticks. The modern equivalent of floppy disk viruses. But in all of the classified networks that I've seen, you can bring your USB drive into the secure area, but it can't be removed. So even if I managed to get my malware on a machine and then somehow got the sensitive data onto some sort of external media, I still don't have anything useful. Not that I wouldn't want to defend against the malware, but it seems that the air gap really is doing it's job.

This may be true of the systems you have worked on, but it isn't true of all classified systems.

If a classified system is approved for trusted downloading, then it is enabled for certain data to be passed to and from that air-gapped system, usually via optical drive, but other means(USB, floppy) are not unheard of.

Let's put this another way. Ongoing development that also includes attacks on air-gapped systems would not be ongoing if there were no viable methods of attack. That would be rather pointless.

Re:No mention of getting data out

[dunkindave]

It seems that this group managed to spread their malware via USB sticks. The modern equivalent of floppy disk viruses. But in all of the classified networks that I've seen, you can bring your USB drive into the secure area, but it can't be removed. So even if I managed to get my malware on a machine and then somehow got the sensitive data onto some sort of external media, I still don't have anything useful. Not that I wouldn't want to defend against the malware, but it seems that the air gap really is doing it's job.

There are ways for a machine to transmit information other than a wire, that can be detected by other devices. The infected air-gapped machine could send information out through its speakers that a microphone elsewhere could hear. It could flash its screen in binary in the middle of the night that someone outside the building might see through a window. It can raise and lower its power usage through various means that might be detected at the power feed. There was even an article [hacked.com] a month ago talking about changing the heat output of the air-gapped machine that could be detected by the thermal sensors in a nearby computer. And there are even more that I won't go into.

So there are ways to send information out even if the USB drive doesn't leave.

Re:

[dkman]

You're a scary individual, but I like the way you think.

Re:

[Ungrounded Lightning]

It can do bursts of computation, memory access, or anything else that varies the amount you wiggle voltages or currents on wires in a way that emits radio waves. You can do it without even trying (which is one way some smartcards exposed private keys ...).

In the days of CRTs that applied especially well: Graphics output could modulate the beam and generate a LOT of radio. (Doing gray scales by making shifting fine patters would be an especially "in your face but you can't see it" approach.) A fast photo

Re:

[The-Ixian]

Do you need some sort of auto-run action upon insertion of the USB stick in order for this to work?
 
Seems crazy that you would have a policy to automatically execute anything.

Re:

[pscottdv]

http://www.wired.com/2014/10/c... [wired.com]

Re:

[rtb61]

That is not technically correct, as a proper air gapped network should not have any means to digitally add data other than via secured, monitored and filtered access points. So failures in air gap system design are obvious, still live wireless hardware, unconditioned power feeds and local terminals with poor input control methods. The untoward access to a properly designed air gapped network should be via corruption of personal and that data should only be copied and removed in hard copy form or be added m

Re:

[drkim]

...even if I managed to get my malware on a machine and then somehow got the sensitive data onto some sort of external media, I still don't have anything useful.

Unless the hack on that USB stick forces the target machine to start radiating data on RF via its monitor or other peripherals.

Those radiations could then be read from an external pickup.
"Van Eck phreaking is a form of eavesdropping in which special equipment is used to pick up side-band electronic-magnetic emissions from electronics devices that correlate to hidden signals or data for the purpose of recreating these signals or data in order to spy on the electronic device. Side-band electromagnetic radiat

Re:

[dunkindave]

Stuxnet was first therefore title should say, Chinese are following US footsteps, or Chinese are caching up to Americans, etc.

Getting malware onto air-gapped machines through covert means predates stuxnet by a large amount (decades), with the Russians being one of the earliest practicers.

Re:

[halivar]

Wasn't the first practitioner a computer store in Pakistan? Your computer would just display a message saying, "to fix this message, $$$ to this computer store in Pakistan" or something to that effect. Even had their name in it and everything.

Re:

[halivar]

Ah, here it is [wikipedia.org]. Even better that it was accidental.

Re:

[arth1]

Chinese are caching up to Americans, etc.

Hopefully not using nginx.

.....this is news?

[ilsaloving]

The group designed malware components with worm-like capabilities that can infect removable drives such as USB sticks and hard drives. Those devices can transfer the malware if connected to a device on an air-gapped network.

Um... welcome back to the 80s and 90s?

Re:

[wren337]

I worked at an online real-estate service in the early 90's, we let realtors mail us floppy disks that our VB app had written listing information onto. One of our jobs was to run through the stack of floppies in the mail every day. So many viruses. People really were clueless about AV protection and were just swapping disks.

Re:

[sudon't]

Ah, yes. I remember well, sticking a floppy into a rent-a-Mac at the local copy shop, and watching the virus scan.

I wonder...

[Flavianoep]

If the machines are air-gapped, how are their software updated?

Re:

[ageoffri]

Scrutinize software updates and reduce the risk that the software will introduce additional risks. Utilize the sneaker net with some sort of portable media. Perform updates on air-gapped machines. Destroy portable media.

Re:

[Migraineman]

This only works if the userbase is 100% cooperative. My observation is that if something is inconvenient, there is incentive to route around it. Good security procedures are necessarily inconvenient. Further, when you add the imperfectness of the meatbag into the system, it's all too easy to accidentally bring a cell phone into a secure area, or to miss the CD-R in the stack of benign papers that gets taken out of the secure area.

Re:

[rahvin112]

It's not hard to download the updates from a secure isolated computer burn them to disc and transfer them to an administration machine on the closed network. Ideally this machine would be locked down so heavily to be near unusable so its chance of compromising is reduced. Along with audits before and after downloading.

The NSA sets the DOD's policies on this stuff, and they wrote the book on compromising systems.

Re:

[Anonymous Coward]

If the machines are air-gapped, how are their software updated?

If the computer is air-gapped and only connected to an internal network that is isolated from any other network which might have Internet connectivity, there is no reason to update software on a regular basis. If you only create documents and are using WordPerfect and print all documents for dissemination why would you update or change the word processing software?

Re:

[Chris Mattern]

And the answer is, they are not air-gapped during the update procedure, which thus must be carefully controlled Updates tend not to happen often in such evironments, for exactly that reason.

Sometimes it's not.

[Anonymous Coward]

We've got systems where the software is simply frozen.

Re:

[Hamsterdan]

a:\update.exe

Re:

[PPH]

With floppies [arstechnica.com].

Note to the terminology-impaired

[Chris Mattern]

If you can stick foreign media into it, it's not airgapped.

Re:

[Chris Mattern]

Yes it is. Otherwise, you would never get a single computer on that network. At some point you *have* to bring something into the area.

Correct. And at that point, the system is not airgapped. It will be airgapped once installation is complete and system sealed.

Re:

[Anonymous Coward]

Yes it is. Otherwise, you would never get a single computer on that network. At some point you *have* to bring something into the area.

Correct. And at that point, the system is not airgapped. It will be airgapped once installation is complete and system sealed.

The operating level is airgapped.

Stop being *that guy* who wants to nitpick this shit down to maintenance-level support for offline systems. The fucking power cord means it's "online" if you can build sensors that detect varying levels of voltage. Same goes for RF bleed if you've not built TEMPEST shielding around the hardware.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Ralph Wiggam]

Sure it is. An "air gap" is a network configuration- e.g. there is no wire connecting the network to the outside world.

I have heard that many air gapped networks also put super glue in the USB ports, but that's not required.

Re:

[Chris Mattern]

Sure it is. An "air gap" is a network configuration- e.g. there is no wire connecting the network to the outside world.

Wrong. An "air gap" is a *network and system* configuration. There is no *nothing* connecting the system/network to the outside. If there isn't air between hardware and *any* outside media, network or otherwise, there isn't an air gap.

Re:

[Ralph Wiggam]

So workstations on an airgapped network can never get software upgrades?

Re:

[Chris Mattern]

So workstations on an airgapped network can never get software upgrades?

Correct. The system would have to have its airgrapped status stand down temporarily to perform the upgrade. Which is one reason that upgrades on such systems are rarely done.

Re:

[Ed Tice]

The updates would be brought in via approved media. That media would never leave the secure facility.

Or data to be processed?

[Ungrounded Lightning]

So workstations on an airgapped network can never get software upgrades?

Or data to be processed?

Re:

[Anonymous Coward]

Sure it is. An "air gap" is a network configuration- e.g. there is no wire connecting the network to the outside world.

Wrong. An "air gap" is a *network and system* configuration. There is no *nothing* connecting the system/network to the outside. If there isn't air between hardware and *any* outside media, network or otherwise, there isn't an air gap.

No, this is not the accepted industry definition of air gapped systems. Most air gapped systems needs some way of receiving updates to the code they are running or export/import changes to data sets. But USB sticks is probably the most dangerous method you could choose for this, CD would be better.

Been there, done that

[__aabppq7737]

Next up: paper and pencil espionage.

Advanced hacking group likely aligned with China?

[DougPaulson]

"An otherwise unremarkable hacking group likely aligned with China appears to be one of the first to have targeted so-called air-gapped networks that are not directly connected to the Internet, according to FireEye"

What evidence does FireEye have that 'China' is behind this and why don't you mention that the main technology required in order to facilitate crossing the 'air-gapped networks', is a portable USB device, malicious email attachments and Microsoft Windows.

Not only that, but....

[anwyn]

they also have all the emails Hillary told you she deleted!