European Govt Air-Gapped Systems Breached Using Custom Malware

An APT hacking group known as GoldenJackal has successfully breached air-gapped government systems in Europe using two custom toolsets to steal sensitive data, like emails, encryption keys, images, archives, and documents. From a report: According to an ESET report, this happened at least two times, one against the embassy of a South Asian country in Belarus in September 2019 and again in July 2021, and another against a European government organization between May 2022 and March 2024. In May 2023, Kaspersky warned about GoldenJackal's activities, noting that the threat actors focus on government and diplomatic entities for purposes of espionage. Although their use of custom tools spread over USB pen drives, like the 'JackalWorm,' was known, cases of a successful compromise of air-gapped systems were not previously confirmed.

Air Gapped, so the problem is humans?

[Hacksaw]

Humans, and their lack of training. Is anyone surprised?

Re: Air Gapped, so the problem is humans?

[dowhileor]

Or the agreed on distributed version of USB? How about those dodgy spectre mitigations idw I didn't read the cause.....

Re:

[Darinbob]

Anyone who's seen a James Bond movie knows that the weak link in the system is the villain's girlfriend with the innuendo filled name.

Re:

[taustin]

Anna Chapman [wikipedia.org] might agree.

Who allowed that?

[i kan reed]

Who let anyone put a USB drive in a secure air-gapped system?

If there was a formal way to get files out of The System, you'd hope it was more thought out than that.

The way I hear it, is for American classified systems, it's ten pin transfer only.

Re:

[iAmWaySmarterThanYou]

When I worked for a classified US Gvt entity, all the usb ports and anything else that could be used to copy data in/out in a similar manner were physically destroyed by the IT security team before they handed out computers.

You can't train people to do the right thing. Even the most ocd and knowledgeable person will eventually fuck up and they got you.

I am both amazed and saddened that in this day and age of super hacker state groups that such an attack is even a physical possibility. It is easy to destro

Re:

[bussdriver]

block USB 3 and 4. just use a hardened USB 2 with user-space drivers. DMA on USB? then opening up more with video/PCI with thunderbolt... 1 plug with a bunch of tiny icons indicating different sub-standards... idiotic. just to keep 1 physical plug for "ease" when actually complicating the thing more!

WTF? has everybody gone stupid? 1 simple serious port that is durable long lasting and slow and secure... make another plug for direct to RAM, PCI bus, etc. for fast security breaches and electrical attac

Re:

[RobinH]

Sorry, what's "ten pin transfer"? Google doesn't seem to want to enlighten me.

Re:

[TeknoHog]

Sorry, what's "ten pin transfer"? Google doesn't seem to want to enlighten me.

I imagine it refers to ten fingers, though it seems pretty optimistic to assume that everyone would type properly using all of their fingers. (In Finnish, touch typing is referred to as the ten-finger system.)

USB drives to blame

[mi]

The attack involves USB drives, which people are using. Originally these could be thrown around at parking lots next to the targeted buildings, or dropped into pockets/purses of the targeted personnel. Once inserted, they infect the computer and begin propagating themselves to other drives. They virus would also either copy "interesting" files to the drives, if it finds itself unable to send them out (as it would behind an air-gap), or sending them out, if possible.

The immediate reaction is to ban the usage

Re:

[Hacksaw]

You totally can get by without USB drives, fast passive serial connections have been around for decades. You just have to be willing to acquire the right stuff and follow proper procedure. Complacence is the hardest problem to solve here, but is it ever a doozy.

Re:

[mi]

You totally can get by without USB drives, fast passive serial connections have been around for decades.

And how would you, say, upgrade a computer, if you cannot bring any new data into it?

You can make it harder, but you cannot eliminate the threat entirely — much like a medieval castle cannot stand (for long) without a few gates breaching its walls.

Re: USB drives to blame

[Baloroth]

You generally wouldn't. Why would you need to upgrade it? The main reason for most systems is security vulnerabilities. That's not an issue if it's properly air gapped. You're certainly not going to trust something like Windows update or aptitude to update the system anyways (those are a *huge* security risk for state-level entities). If it really absolutely needs upgrades, you'd just pull the hard drive, or replace the entire system.

Re:

[Valgrus Thunderaxe]

You just have to be willing to acquire the right stuff and follow proper procedure

Nobody acquires the right stuff or follows proper procedures.

Re:

[PPH]

How would this document, once prepared on a classified system behind an air-gap, be shared/published to the outside world?

You request a copy that will be handed to you (yes, perhaps on a USB drive) through proper channels.

The most obvious answer is: USB-drive...

You don't get to decide what is/is not suitable for export from some classified data store. Or how it should be moved.

all fortifications require some means of getting through them â" gates, bridges, doors...

And there's a guard with an M-16. Show him your credentials and clearance.

Re:

[mi]

through proper channels.

Who is these "proper channels"? Some other people? How do you know, they would never pick up a stray USB drive?

And there's a guard with an M-16

For one, a human guard is no harder — perhaps, even easier — to subvert, than a mechanism.

More importantly, my point was more general: even though gates and doors weaken the defenses, they cannot be completely eliminated.

Re:

[Hacksaw]

Who is these "proper channels"? Some other people? How do you know, they would never pick up a stray USB drive?

When you have the formality of a guard, a simple part of the procedure is to ask "You didn't get this from the parking lot, right?"

The problem isn't strays, the problem is someone getting a compromised drive into your supply chain. And if your supply chain is Staples, say, you may have already lost the game.

Re:

[PPH]

And if your supply chain is Staples

Yeah. You don't know who hung those blister-packed USB drives on their rack.

I imagine that any decent SCIF will have a process for acquiring "clean" USB drives. Probably PIN or password secured drives. You can write this once. But only the person at the other end (whom you have cleared through the data transfer request) has the unlock key.

Re:

[mi]

When you have the formality of a guard

That guard may know even less about the threats, than the personnel actually using a computer. They guy could insert the USB-drive he found on his way to the job just as well as that hypothetical press-secretary I used in my example.

And "special" drive only needs to be inserted once. After that, you can keep using your strictest-vetted ones, and they'll become compromised too...

And if your supply chain is Staples

Hezbollah may wish, they bought their pagers [bbc.com] at Staples, i

More like "flipflopnet".

[Pseudonymous Powers]

If you're plugging USB sticks into it, your machine isn't air-gapped. It just has really shitty internet.

You fucking dumbasses!

[Rick Schumann]

Apparently some peoples heads need to be 'air-gapped' from anything more important than cleaning a toilet, if shit like this was allowed to happen.

Jesus H Christ

[MightyMartian]

All bets are off if someone can gain physical access to the hardware. At that point, disabling (either via BIOS or literally disconnecting or plugging them) external ports is the only way to go.