Malware Campaign Targets Eastern European Air-Gapped SystemsKaspersky Attributes Attacks to Beijing-Aligned APT31 Threat Actor
A multistage malware campaign is targeting industrial organizations in Eastern Europe with the objective of pilfering valuable intellectual property, including data from air-gapped systems.
Researchers at Kaspersky identified two implants used for the extraction of data from infected systems and attributed them to Beijing-aligned APT31 group.
One of the two implants spotted by Kaspersky identifies removable drives and contaminates them with a worm. The other implant steals data from a local computer and sends it to Dropbox with the help of the next-stage implants.
Air-gapped equipment is typically more secure that networked computers due to being physically isolated. Large-scale industrial companies - such as power companies and oil and gas firms as well as government agencies - are among the most common users of these networks.
Air gapping is hardly a guarantee against hackers. Malware that attack air-gapped networks have been reported by security firms in the past, including a cyberespionage framework researchers at Eset in 2020 named Ramsay (see: Cyberespionage Malware Targets Air-Gapped Networks: Report). Easily the most famous example of malware jumping the air gap barrier is Stuxnet, the cyberweapon aimed at disrupting Iran's nuclear facilities identified in 2010 and widely reported to have been coded by the United States and Israel.
Kaspersky researchers said that in this most recent example of malware targeting air-gap systems, they had identified more than 15 implants and their variants planted by the group in various combinations.
The researchers divided the entire stack of implants into three categories:
- First-stage implants for persistent remote access and initial data gathering;
- Second-stage implants for gathering data and files, including from air-gapped systems;
- Third-stage implants and tools used to upload data to C2.
The researchers did not reveal the initial attack vector but said that the latest research is devoted to second-stage malware used to gather data on infected systems.