ESET Research have analysed malicious frameworks targeting physically isolated networks, dissecting 15 years of nation-state efforts.
ESET researchers revisited 17 malicious frameworks used to attack air-gapped networks. The frameworks comprise all those known to date.
An air-gapped network is one that is physically isolated from any other network in order to increase its security.
This technique can help protect the most sensitive of networks: industrial control systems (ICS) running pipelines and power grids, voting systems, and SCADA systems operating nuclear centrifuges, just to name a few.
Naturally, systems that run critical infrastructure are of high interest to numerous attackers, including any and all APT groups. APT groups are typically sponsored by or part of nation-state efforts. Ultimately, if an air-gapped system is infiltrated, these threat actors can intercept confidential data in order to spy on countries and organisations.
In the first half of 2020 alone, four previously unknown malicious frameworks designed to breach air-gapped networks emerged, bringing the total number to 17.
According to ESET, discovering and analysing this type of framework poses unique challenges as sometimes there are multiple components that all have to be analysed together in order to have the complete picture of how the attacks are really being carried out.
Using the knowledge made public by more than 10 different organisations over the years, and some ad hoc analysis to clarify or confirm some technical details, ESET researchers led by Alexis Dorais-Joncas put the frameworks in perspective to see what history could teach cybersecurity professionals and, to a certain extent, even the wider public about improving air-gapped network security and our abilities to detect and mitigate future attacks.
"Unfortunately, threat groups have managed to find sneaky ways to target these systems. As air-gapping becomes more widespread, and organisations are integrating more innovative ways to protect their systems, cyber-attackers are equally honing their skills to identify new vulnerabilities to exploit," says Alexis Dorais-Joncas, who leads ESETs security intelligence team.
"For organisations with critical information systems and/or classified information, the loss of data could be hugely damaging. The potential that these frameworks have is very concerning.
"Our findings show that all frameworks are designed to perform some form of espionage, and all the frameworks used USB drives as the physical transmission medium to transfer data in and out of the targeted air-gapped networks."
With the risks identified, ESET has put together the following list of detection and mitigation methods to protect air-gapped networks against the main techniques used by all the malicious frameworks publicly known to date:
Prevent email access on connected hosts Preventing direct access to emails on connected systems would mitigate this popular compromise vector. This could be implemented with browser/email isolation architecture, where all email activity is performed in a separate, isolated virtual environment.
Disable USB ports and sanitise USB drives Physically removing or disabling USB ports on all the systems running in an air-gapped network is the ultimate protection. While removing USB ports from all systems may not be acceptable for all organisations, it might still be possible to limit functional USB ports only to the systems that absolutely require it. A USB drive sanitisation process performed before any USB drive gets inserted into an air-gapped system could disrupt many of the techniques implemented by the studied frameworks.
Restrict file execution on removable drives Several techniques used to compromise air-gapped systems end up with the straight execution of an executable file stored somewhere on the disk, which could be prevented by configuring the relevant Removable Storage Access policies.
Perform regular analysis of the system Performing a regular analysis of the air-gapped system to check for malicious frameworks is an important part of security in order to keep data safe.
In addition, it is worth noting that endpoint security products are generally able to detect and block several exploit classes, so having such technology not only deployed but also kept up to date could have a positive impact.
"Maintaining a fully air-gapped system comes with the benefits of extra protection," says Dorais-Joncas.
"But just like all other security mechanisms, air gapping is not a silver bullet and does not prevent malicious actors from preying on outdated systems or poor employee habits."