In September 2015, Kaspersky, which is the specialized giant enterprise about informatics safety, warned about the unusual presence of a client´s organization on internet. That anomaly led to the discovery of the ProjectSauron which is an agent of threats that attacks the state-run organizations, along with a unique group of tools to be used against each victim. This is a characteristic that disrupt the parameters about traditional threats.
The ProjectSuron has been mainly used for cybernetics espionage and Vitaly Kamluk, who is the main researcher about the Karpersky safety, states that the sue of unique parameters like the control server, the coded key and the adoption of advanced techniques copied from other agents, is a new element.
“The only way of resisting that kind of threats is having many layers of safety installed and based on a series of detectors which could control any anomaly within the flow of work of the organization, along with a multiplied intelligence against the threats and the related analysis to detect the patterns even when it seems not to have any of it.” Vitaly Kamluk, explained.
ProjectSauron use a group of implants and infrastructure for each individual goal that it never reuses. This method, along with some routes for the extraction of the stolen data like in the case of the legitimate channels of emails and DNA, allows to analyze secret campaigns of espionage during long periods.
To date, there are more than 30 victims from different organizations which have been identified in Russia, Iran and Rwanda and there might be others in Italian-speaking countries. The organizations that have been attacked have usually played a key role about the provision of special services to the State and that includes governments, military institutions, scientific research centers, telecommunication operators and financial organizations.
According to the globbsecurity.com site, there are some experts who agree about stating that the malicious platform might have had some help from certain government due to its high cost and complexity.
The Karpersky Lab and Symantec firms are behind the research and even the ProjectSauron has been regarded as a threating doer of a nation´s State.
The related analysis show that ProjectSauron has been operational since June 2011 and still remains active in 2016, and some of its tools include:
· A particular track: its main implants, which have different name and sizes of files, are made for each objective, individually.
· Works inside the internal memory: the implants use control sequences inside the legitimate and updated software and work as hidden programs by downloading new command modules or carrying out the attacker´s command inside the internal memory.
· A crypto communication tendency: ProjectSauron searchs for an information that is related to the coded software of a personalized network. This client and server software is adopted by many organizations to secure the exchange of communications, voice, email and documents. Those who attack are interested in the coded-software components, keys, configuration files and the location of servers which transmit the encrypted messages between them.
· Flexibility based on a control sequence: The ProjectSauron project has used a series of low-level tools which are structured by some high-level LUA sequences of control.
· Transferring the safety design of the air gaps networks: the ProjectSauron use some USB units, which are specially designed to evade the networks containing air gaps. These USB units have hidden compartments in which the stolen data are hidden.
· Different extraction mechanisms: ProjectSauron implements a series of routes for the extraction of the data, this include the legitimate channels like the email and DNS and the stolen and copied information of the victim which is covered by the regular traffic.
By Ana Teresa Badía