The cyber-espionage group identified as Strider by Symantec researchers is as advanced and sophisticated a threat as any other known APT in history -- including Duqu, Flame, The Equation Group and Regin -- according to an analysis by Kaspersky Lab.
In Kaspersky circles, the APT group goes by a different name -- ProjectSauron -- because configuration files listed within the APT's malicious coding references the villain Sauron from the Lord of the Rings book series. Kaspersky's report sheds additional light on the elite threat, which has existed since at least 2011 and appears be highly selective in choosing its targets, customising the subsequent attacks accordingly.
The research lab reported finding over 30 infections affecting government computers, scientific research centres, military systems, telecommunication providers and the finance industry since first uncovering threat indicators in September 2015. While most targets were based in Russia, Symantec also detected the threat in Chinese, Swedish and Belgian assets, while Kaspersky separately detected infections in Iran, Rwanda and possibly certain Italian-speaking countries.
“ProjectSauron seems to be dedicated to just a few countries, focused on collecting high-value intelligence by compromising almost all key entities it could possibly reach within the target area,” the Kaspersky report said.
Such behaviour indicates the APT is likely backed by a nation-state -- a conclusion Symantec drew in its own report. "We can say the malware, tactics, tools and procedures (TTPs), as well as victims discovered during this investigation, are what is usually seen with cyber-espionage campaigns which are often sponsored by nation-states," said Jon DiMaggio, Symantec senior threat intelligence analyst, in an earlier emailed interview with SCMagazine.com.
Kaspersky also reported that the APT is especially interested in a specific communication encryption software that is prominently used by the targeted government organisations. To that end, ProjectSauron steals encryption keys, configuration files and the IP addresses of infrastructure servers linked to this software. Moreover, ProjectSauron extensively leverages DNS protocols as well as DNS tunneling techniques for data exfiltration and real-time status reporting.
Even air-gapped computers are not immune. According to the report, the threat actor is able to lift data from isolated networks and transfer them to Internet-connected systems using specially-crafted, removable USB storage drives that contain hidden storage areas -- invisible to a machine's operating system.
To spy on organisations and steal their data, ProjectSauron uses highly sophisticated modular malware, which Symantec refers to as Remsec. To maintain persistence, Remsec's backdoor module is placed on networks' domain controllers as a Windows Local System Authority password filter. This means that any time a user or admin enters or changes a password, the backdoor automatically starts up and collects said password.
Kaspersky said it found 28 domains connected to 11 IPs in the US and Europe that appear to be linked to ProjectSauron activity. “Even the diversity of ISPs selected for ProjectSauron operations makes it clear that the actor did everything possible to avoid creating patterns. Unfortunately, little is known about these servers,” Kaspersky reported.