Daily Archives: 2016-08-13

Sauron, an APT created by a government?

A few days ago, on the 9th of August, Kaspersky Lab released different reports on the newly found Project Sauron APT (Advanced Persistent Threat). Based on forensic analysis of Kaspersky labs, this APT was running since, at least, 2011 in military or governmental agencies around the world. 5 years, it is indeed persistent, isn’t it? It is also advanced because, from what we can deduct from Kaspersky’s Technical Analysis, it seems that this APT is more a framework than a “simple” Trojan. It is more a set of services and code disseminated across the Windows Servers services, used to copy, sniff, decrypt, encrypt and exfiltrate data, even found on air-gap computers. It is also clearly targeted to find sensitive information protected by a very specific encryption technology. It is also polymorphic as it changes its “appearance” (like the name of the DLL it hides behind) on each installation. It also exfiltrate data through standard channels like DNS or email in order to avoid detection.

Kaspersky named it Project Sauron because the name is used in the LUA scripts of the framework as a variable name prefix (Symantec called it Strider).The use of LUA (a very popular script language amongst gamers) is also quite exceptional in the malware world.

This combination of use of zero day exploits (code exploiting previously unknown vulnerabilities), the modularity, the polymorphism, the use of strong encryption techniques (like RSA2048, RC6, AES), the use of normal channel for exfiltration in order to avoid detection and the long lasting infection (2011-2016), makes it a “Top of the top” (sic), state-of-the-art, APT.

What makes it also exceptional is that Sauron targeted military and governmental agencies around the world and not your everyday computer system used by SMEs. Some of these targets have multiple layers of protection and detection systems, anti-viruses, security analysts, firewalls, network segregation and so on. They are even running some of their services on air-gap (not connected to the Internet) servers or networks. Even there, Sauron was able to get in and out using the USB key used to update the systems. Bottom line, Sauron was evading security measures from some of the best actors on the market. What an achievement!

So, looking at this level complexity, some will directly look at the NSA, the MI6 and the GCHQ or why not the FSB (Russia was listed amongst the victims but it is a well-known technique to get your own poison in order to avoid suspicion of being the poisoner). But, states are not the only actors in the market with such capabilities.Symantec evoque a group call Strider (hence the name of the attack) as being the mastermind behind this attack. For years now cyber-criminal organization are growing in importance and size. With a trillion (1.000 billion $) of estimated revenue per year, supposing there is one single organization that generate a 1/1000 of this revenue, meaning 1 billion $ per year, would not be a crazy idea. 1 billion $ of revenue for an organization of hackers is quite a lot of money, and means, to develop and put such kind of attack in motion. As long there is a return on the investment (and there will likely have states ready to buy such valuable information), criminals are never far away.

It means also that if this project is at least 5 years old, the attackers must have, by now, much more efficient and stealth malware in place somewhere else (or at the same place). It means also that such vector will become more widely available in the community, hence more frequent, like any technical progress in a market. If Sauron his a “private sector” product, how can we protect from organization with such means? We often settle that we are basically powerless against state espionage. Should we do the same with (large) criminal organization in the (near) future?

More on the subject: