Two top electronic security firms have discovered a new powerful malware suite being used to target just dozens of high-value targets around the world. The research shows that it was likely developed on the orders of a government engaging in cyber espionage.
The California-based Symantec has labeled the group behind the attack Strider, while Moscow-based Kaspersky Labs dubbed it ProjectSauron. Both are references to J. R. R. Tolkien’s Lord of the Rings, a nod to the fact that the original malware code contained the word “Sauron.”
But behind the playful literary allusions is a powerful piece of software, capable of “harvesting” passwords on entire networks and “modules are designed to perform specific functions like stealing documents, recording keystrokes, and stealing encryption keys from both infected computers and attached USB sticks,” according to Kaspersky.
The team behind the project has been collecting data illegally since at least October 2011, said Symantec. It had been fooling even the most sophisticated detection systems until last year, when security firms began to identify its components at work, largely due to its choice of targets.
“The group has maintained a low profile until now and its targets have been mainly organizations and individuals that would be of interest to a nation state’s intelligence services,” Symantec wrote. “Strider has been highly selective in its choice of targets and, to date, Symantec has found evidence of infections in 36 computers across seven separate organizations. The group’s targets include a number of organizations and individuals located in Russia, an airline in China, an organization in Sweden, and an embassy in Belgium.”
Kaspersky Lab has a different list of infections – which include Rwanda, and unspecified Italian-speaking nations – but says that “government scientific research centers, military, telecommunication providers, finance” were all targets.
“We think an operation of such complexity, aimed at stealing confidential and secret information, can only be executed with support from a nation state,” said Kaspersky Lab, which says it is cooperating with victims and law enforcement authorities to inform them. “Kaspersky Lab has no exact data on this, but estimates that the development and operation of ProjectSauron is likely to have required several specialist teams and a budget probably running into millions of dollars.”
Kaspersky Lab compared the threat of the malware to Flame and Duqu, which famously helped another program, Stuxnet, disable Iranian nuclear centrifuges, leading to a shutdown of a uranium enrichment facility in Natanz in 2010.
“Over the last few years, the number of ‘APT-related’ incidents described in the media has grown significantly. For many of these, though, the designation ‘APT,’ indicating an ‘Advanced Persistent Threat,’ is usually an exaggeration,” wrote Kaspersky Lab.
“With some notable exceptions, few of the threat actors usually described in the media are advanced. These exceptions, which in our opinion represent the pinnacle of cyberespionage tools: the truly 'advanced' threat actors out there, are Equation, Regin, Duqu or Careto. Another such an exceptional espionage platform is ‘ProjectSauron’, also known as ‘Strider’.”