ProjectSauron APT Platform Used to Spy on Government Agencies and Critical Industries

By Joseph Lorenz on August 12, 2016


Kaspersky Lab and Symantec researchers have discovered an espionage group who is likely backed by a nation-state. The threat actor was previously known as Strider, but after reviewing modules from the group’s latest attacks they’re now being called ProjectSauron. Evidence of the group’s activity can be tracked as far back as 2011, and they have targeted at least 30 organizations around the world in Russia, China, Sweden, Belgium, Iran, Rwanda, and possibly Italy. Though researchers can’t say for sure the complexity of this malware, the fact that it remained hidden so long, the types of targets used, and the nature of the data collected points to a state-backed attack group.  Experts still don’t know how the attackers are infiltrating critical networks, but they have been able to uncover a lot of their activity on compromised networks.

The attackers behind ProjectSauron have a high interest in communication encryption software which is widely used by governmental organizations. It steals encryption keys, configuration files, and IP addresses of the key infrastructure servers that are related to the encryption software. The group has the ability to steal information from air gapped systems(which is a security measure that involves isolating a computer or network and preventing it from establishing an external connection) and networks using specially-crafted USB storage drives. Kaspersky Lab announced that it found 28 command and control(C&C) domains linked to 11 IP addresses in the United States and a number of European countries. Though the C&C domain and server infrastructure used for the attacks is always changing, to prevent creating a pattern and minimizing the ability for researchers to track the group’s activities.