‘Project Sauron’ has been stealing data from groups in 30 countries since at least 2011, experts say
The spying group, which may be linked to a nation state, is known as Strider or Project Sauron and its technical sophistication demonstrates the difficulty in defending against determined attackers, experts said.
The group uses custom-built tools modified for each target and began its activities in October 2011 or earlier, according to two independent reports from Symantec and Kaspersky Lab.
The group is selective in its targets and infections have only been found on 36 computers used by seven separate organisations in four countries, Symantec said in an advisory.
Those organisations include several in Russia, an airline in China, an organisation in Sweden and an embassy in Belgium, Symantec said.
Kaspersky said it was aware of more than 30 infected organisations in Russia, Iran, Rwanda, possibly in Italian-speaking countries, and likely also elsewhere, with the sectors targeted including government, scientific research, military, telecommunications and finance.
“Project Sauron comprises a top-of-the-top modular cyber-espionage platform in terms of technical sophistication, designed to enable long-term campaigns through stealthy survival mechanisms coupled with multiple exfiltration methods,” Kaspersky said in its own advisory.
It uses a modular platform with at least 50 plugin types, deploys strong encryption, and targets communication encryption software used by governmental organisations, Kaspersky said.
“It is able to exfiltrate data from air-gapped networks by using specially-prepared USB storage drives where data is stored in an area invisible to the operation system,” the firm stated.
“Technical details show how attackers learned from other extremely advanced actors in order to avoid repeating their mistakes.”
The group was still active in April of this year, and although it appears to have “largely” shut down, it may still be targeting systems, Kaspersky said.
Kaspersky said it uncovered Project Sauron in September of last year when it found “anomalous” network traffic on a client’s network.
“Analysis of this incident led to the discovery of a strange executable program library loaded into the memory of the domain controller server,” Kaspersky stated. “The library was registered as a Windows password filter and had access to sensitive data such as administrative passwords in cleartext. Additional research revealed signs of activity of a previously unknown threat actor.”
A recent study found that nearly two-thirds of IT security professionals believe their organisations are potential targets for nation-state computer attacks.
Are you a security pro? Try our quiz!