Governance & Risk Management , Operational Technology (OT)

Malware Campaign Targets Eastern European Air-Gapped Systems

Kaspersky Attributes Attacks to Beijing-Aligned APT31 Threat Actor
Malware Campaign Targets Eastern European Air-Gapped Systems
Image: Shutterstock

A multistage malware campaign is targeting industrial organizations in Eastern Europe with the objective of pilfering valuable intellectual property, including data from air-gapped systems.

See Also: User Entity & Behavior Analytics 101: Strategies to Detect Unusual Security Behaviors

Researchers at Kaspersky identified two implants used for the extraction of data from infected systems and attributed them to Beijing-aligned APT31 group.

One of the two implants spotted by Kaspersky identifies removable drives and contaminates them with a worm. The other implant steals data from a local computer and sends it to Dropbox with the help of the next-stage implants.

Air-gapped equipment is typically more secure that networked computers due to being physically isolated. Large-scale industrial companies - such as power companies and oil and gas firms as well as government agencies - are among the most common users of these networks.

Air gapping is hardly a guarantee against hackers. Malware that attack air-gapped networks have been reported by security firms in the past, including a cyberespionage framework researchers at Eset in 2020 named Ramsay (see: Cyberespionage Malware Targets Air-Gapped Networks: Report). Easily the most famous example of malware jumping the air gap barrier is Stuxnet, the cyberweapon aimed at disrupting Iran's nuclear facilities identified in 2010 and widely reported to have been coded by the United States and Israel.

Kaspersky researchers said that in this most recent example of malware targeting air-gap systems, they had identified more than 15 implants and their variants planted by the group in various combinations.

The researchers divided the entire stack of implants into three categories:

  • First-stage implants for persistent remote access and initial data gathering;
  • Second-stage implants for gathering data and files, including from air-gapped systems;
  • Third-stage implants and tools used to upload data to C2.

The researchers did not reveal the initial attack vector but said that the latest research is devoted to second-stage malware used to gather data on infected systems.


About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.