Jumping the air gap: 15 years of nation‑state effort

ESET researchers studied all of the malicious frameworks ever reported publicly which were used to assault air-gapped networks and are releasing a side-by-side comparability of their most essential TTPs

Air-gapping is used to guard essentially the most delicate of networks. Within the first half of 2020 alone, 4 beforehand unknown malicious frameworks designed to breach air-gapped networks emerged, bringing the whole, by our depend, to 17. ESET Analysis determined to revisit every framework identified thus far and to place them in perspective, facet by facet.

Key findings on this report:

  • All of the frameworks are designed to carry out some type of espionage.
  • All of the frameworks used USB drives because the bodily transmission medium to switch information out and in of the focused air-gapped networks.
  • We now have not discovered any case of precise or suspected use of covert bodily transmission.
  • Over 75% of all of the frameworks used malicious LNK or autorun information on USB drives to both carry out the preliminary air-gapped system compromise or to maneuver laterally inside the air-gapped community.
  • Greater than 10 vital severity LNK-related distant code execution vulnerabilities in Home windows have been found, then patched by Microsoft, within the final 10 years.
  • All of the frameworks have been constructed to assault Home windows techniques. We now have not discovered any proof of precise or suspected malware elements constructed to focus on different working techniques.

In our white paper, linked under, we describe how malware frameworks focusing on air-gapped networks function, and we offer a side-by-side comparability of their most essential TTPs. We additionally suggest a collection of detection and mitigation strategies to guard air-gapped networks from the principle strategies utilized by all of the malicious frameworks publicly identified thus far.

Utilizing the data made public by greater than 10 totally different organizations over time, and a few advert hoc evaluation to make clear or verify some technical particulars, we put the frameworks in perspective to see what historical past may train us so as to enhance air-gapped community safety and our skills to detect and mitigate future assaults.

This exhaustive examine allowed us to isolate a number of main similarities in all of those frameworks, even these produced 15 years aside. Particularly, we centered our consideration on the malware execution mechanisms used on each the related and the air-gapped facet of focused networks and the malware functionalities inside the air-gapped community (persistence, reconnaissance, propagation, espionage, and – at the least in a single case – sabotage actions), with a deal with the communication and exfiltration channels used to cross the air-gap barrier and management the elements operating on the remoted networks. This additionally resulted in a scientific evaluation construction that could be reused to doc air-gapped malware that’s found sooner or later.

Regardless of some variations and nuances discovered throughout all frameworks studied, our evaluation exhibits how most differ on lots of these elements solely from an implementation perspective, principally as a result of extreme constraints imposed by air-gapped environments. Armed with this data, we are going to spotlight some detection alternatives particular to the precise strategies noticed within the wild.

Our intention is to persuade the reader of the significance of getting all the correct protection mechanisms to mitigate the strategies utilized by nearly all of those frameworks which were noticed within the wild, earlier than beginning to look into the various theoretical air hole bypass strategies which have obtained a variety of consideration lately regardless of none of them ever being utilized in an actual, publicly disclosed assault.

Victimology, attacker profiles, timeline

An air-gapped community is one that’s bodily remoted from some other networks so as to improve its safety. Air-gapping is a way used to guard networks interconnecting essentially the most delicate and high-value techniques inside a company, techniques which might be naturally of excessive curiosity to quite a few attackers, together with any and all APT teams.

We are able to state with out concern of contradiction that risk actors behind the identified malware frameworks designed to assault air-gapped networks all belong to the superior persistent risk (APT) class. Regardless of the number of risk actors behind these frameworks, all of them shared a standard objective: espionage.

Some frameworks have been attributed to well-defined, well-known risk actors:

For others, the attribution has been much less clear-cut, speculative or controversial. Agent.BTZ, for instance, has been attributed to Turla, however different consultants are not so convinced.

Lastly, we now have a trilogy of frameworks that represent our particular circumstances: these frameworks have been present in documentation from the Vault7 leaks and are described to have been in operation in a time vary from 2013 to 2016; nonetheless, we haven’t discovered samples within the wild to research first hand.

The determine under exhibits a historic view of the interval of exercise of every framework, together with the time of the primary public report. That is additionally a sign of how tough it’s to detect any such framework, a number of having been energetic for a few years earlier than getting uncovered.

Word that the durations of exercise are based mostly on what has been reported publicly; in some circumstances, the researchers weren’t capable of decide a exact interval of exercise based mostly on observable information however are slightly approximated or inferred by utilizing some cheap hypotheses.

Determine 1. Interval of exercise of all identified frameworks and date of the primary public report

Anatomy of air-gapped techniques – a malware perspective

Assault and compromise of techniques in air-gapped networks require the attackers to develop capabilities that allow their instruments to speak by way of channels that aren’t generally required in regular operations. It’s apparent: they must take care of the truth that these networks are remoted from the web.

There is no such thing as a exact definition of what “air-gapped malware” truly is from the purely technical perspective. This sparked some energetic discussions internally, till we lastly agreed upon—for the aim of this paper—the next definition for air-gapped community malware:

Malware, or a set of malware elements appearing collectively (a framework), that implements an offline, covert communication mechanism between an air-gapped system and the attacker that may be both bi-directional (command and response) or unidirectional (information exfiltration solely).

We determined to separate the frameworks into two broad classes: related and offline. Most frameworks are constructed to supply absolutely distant end-to-end connectivity between the attacker and the compromised techniques on the air-gapped facet. We name these “related frameworks”. The overall working schema appears like this:

Determine 2. Overview of the elements and actions of a related framework designed to assault air-gapped networks

Probably the most primary related frameworks solely have on-line connectivity with the attacker for information exfiltration functions. Probably the most highly effective ones assist a two-way communication protocol (represented by the yellow arrows). By means of a compromised system on the related facet, the attacker sends instructions to the malware positioned on the air-gapped community; that is finished by way of a covert communication channel typically positioned on a USB drive. This function grants the attackers the power to remotely run arbitrary code inside air-gapped networks.

Within the different, rarer circumstances, the assault state of affairs doesn’t contain any internet-connected techniques in any respect. We name these “offline frameworks”. In these circumstances, every thing signifies the presence of an operator or collaborator on the bottom to carry out the actions normally finished by the related a part of related frameworks, comparable to getting ready the preliminary malicious USB drive accountable for the execution on the air-gapped facet, executing the malware on the air-gapped system , extracting the exfiltrated information from the drive and sending further instructions to the air-gapped facet.

Determine 3. Overview of the elements and actions of an offline framework designed to assault air-gapped networks

With these formal definitions established, we are able to evaluate the principle traits shared by all frameworks.

Linked facet execution vector

For related frameworks, step one to efficiently compromise the air-gapped community is to get a foothold on a system that has web connectivity. In the case of APTs, it’s not all the time doable to know precisely how this occurred however for the circumstances that we do know, the strategies noticed don’t differ a lot from what we see on the whole malware: emails with malicious attachments, hyperlinks, or USB worms.

Air-gapped facet preliminary execution vector

This is among the most fascinating parts we studied: how do attackers handle to execute malicious code on an air-gapped system within the first place? All frameworks have devised their very own methods, however all of them have one factor in frequent: with no exception, all of them used weaponized USB drives. The primary distinction between related and offline frameworks is how the drive is weaponized within the first place. Linked frameworks normally deploy a part on the related system that can monitor the insertion of latest USB drives and robotically place the malicious code wanted to compromise the air-gapped system. Offline frameworks, then again, depend on the attackers deliberately weaponizing their very own USB drive. What’s fascinating right here is the number of strategies used over time by these frameworks to get their payload executed on the goal system. We are able to place these into three massive classes.

  • Automated execution: the malicious code will get executed with none person intervention. This entails the exploitation of some vulnerability, essentially the most well-known one being CVE-2010-2568, aka the “Stuxnet LNK exploit”.
  • Non-automated execution (unknowingly triggered): the malicious code execution depends upon tricking an unsuspecting authentic person into executing the malicious code on the goal system. This may be carried out by planting a compromised decoy doc or a trojanized software program installer on the USB drive, for instance.
  • Non-automated execution (intentionally carried out): the malicious code is hidden on the USB drive and must be intentionally executed by a human actor with bodily entry to the goal system.

Desk 1. Methods used to compromise the primary air-gapped system

Air-gapped facet functionalities

We seemed on the three most essential framework functionalities obtainable on the air-gapped-side: persistence, reconnaissance & espionage exercise, and propagation & lateral motion. This highlighted how frameworks range significantly by way of operational targets and complexity: some are constructed for hit-and-run varieties of exercise with hardcoded file-stealing duties and no persistence, whereas others implement subtle and stealthy persistence mechanisms and efficient propagation mechanisms inside the air-gapped community. See Part 4.3 of the white paper for the complete particulars.

Communication and exfiltration channel

That is essentially the most fascinating attribute to check when taking a look at malware attacking air-gapped networks. Earlier on this weblog, we clarified our definition of “air-gapped malware” and break up air-gapped frameworks in two classes: related and offline.

The distinction from the communication and exfiltration viewpoint is critical: on-line frameworks require an internet, conventional C&C communication channel connecting the attacker to the connected-side compromised host, and a second, offline one connecting the connected-side compromised host and the air-gapped techniques, as proven within the determine under.

Determine 4. On-line and offline communication channels in related frameworks

However, the determine under exhibits how offline frameworks solely require the offline communication channel.

Determine 5. Offline communication channel in offline frameworks

The presence of an offline communication channel is the core a part of our definition of what air-gapped malware is. That is how the malware bypasses the air hole protection layer to switch data out and in, or generally simply out, of the goal community.

An offline channel will be seen as a selected communication protocol operating over a sure bodily transmission medium throughout the air hole.

One of many first issues that involves thoughts when speaking about assaults towards air-gapped networks is how the air hole will be bypassed. The truth is, new analysis on covert bodily transmission mediums is revealed frequently. One of the crucial prolific researchers in that area is definitely Mordechai Guri, lead cybersecurity researcher at Ben-Gurion College of the Negev. He and his staff have demonstrated the feasibility of quite a few strategies that enable data switch throughout air gaps with varied ranges of assault deployment complexity and obtainable bandwidth.

Whereas there have been alleged sightings of in-the-wild assaults utilizing such strategies, no peer-reviewed case has been publicly analyzed and disclosed. Virtually all of the malicious frameworks focusing on air-gapped networks publicly identified thus far used USB drives because the bodily transmission medium to switch data throughout air gaps.

The desk under illustrates how about half of the frameworks solely implement unidirectional protocols. In these assault situations, the knowledge can solely circulate from the compromised air-gapped system to the attacker, and never the opposite approach round. This implies the malware part operating on the air-gapped facet doesn’t have any replace mechanism or backdoor capabilities and is designed to carry out particular, hardcoded duties, normally reconnaissance and knowledge stealing, after which exfiltrate the knowledge again to the attacker by way of the USB drive. The attacker has no approach in any respect to ship updates or instructions to manage the compromised system.

Frameworks implementing bidirectional protocols are extra versatile, as they permit the attacker to have a lot better management over the compromised air-gapped hosts. Curiously, not all frameworks with bidirectional protocols make full use of this functionality. The truth is, most implement solely a small, not very versatile set of instructions, comparable to steal information matching particular patterns or run a selected executable file current on the USB drive.

Desk 2. Kinds of offline communication protocols

Defending air-gapped networks

It goes with out saying that defending air-gapped networks towards cyberattacks is a really advanced subject that includes a number of disciplines. It’s removed from our intention to assert that we now have a magical answer to this drawback. That being stated, there may be worth in understanding how identified frameworks function in air-gapped environments and deriving methods to detect and block frequent malicious actions.

Part 5 of our white paper presents concepts to detect and block malicious actions which might be frequent to a good portion of the studied frameworks. None of them are revolutionary, however we hope that our data-driven method will assist defenders prioritize their protection mechanisms. In different phrases, that defenders first implement protection mechanisms towards what identified malware has been doing to this point, earlier than attempting to dam strategies that haven’t been used but.


We now have seen how the frameworks will be break up into two classes: related frameworks, that are operated absolutely remotely, and offline frameworks, which depend on a human asset on the bottom. Regardless of using varied strategies to breach the preliminary air-gapped system, to propagate contained in the community or to exfiltrate stolen data, all of the frameworks share one frequent purpose: spy on their goal.

Discovering and analyzing any such framework poses distinctive challenges. They generally are composed of a number of elements that each one must be analyzed collectively so as to have the entire image of how the assaults are actually being carried out.

Additionally, safety distributors comparable to ESET depend on telemetry to find new threats on techniques the place their merchandise are operating. By definition, techniques operating inside air-gapped networks don’t ship such telemetry, which creates a major blind spot that contributes to growing the time to discovery and detection of latest malware focusing on air-gapped networks.

Understanding how malware assaults air-gapped networks will help establish and prioritize detection and safety mechanisms. For instance, we noticed how all frameworks relied on USB drives by hook or by crook to spy on air-gapped techniques, and none of them used some other sort of covert communication channels towards which TEMPEST restrictions would must be applied.


Leave a Reply

Your email address will not be published.