Researchers have unearthed two sophisticated toolsets that a nation-state hacking group—possibly from Russia—used to steal sensitive data stored on air-gapped devices, meaning those that are deliberately isolated from the Internet or other networks to safeguard them from malware.
One of the custom tool collections was used starting in 2019 against a South Asian embassy in Belarus. A largely different toolset created by the same threat group infected a European Union government organization three years later. Researchers from ESET, the security firm that discovered the toolkits, said some of the components in both were identical to those fellow security firm Kaspersky described in research published last year and attributed to an unknown group, tracked as GoldenJackal, working for a nation-state. Based on the overlap, ESET has concluded that the same group is behind all the attacks observed by both firms.
Quite unusual
The practice of air gapping is typically reserved for the most sensitive networks or devices connected to them, such as those used in systems for voting, industrial control, manufacturing, and power generation. A host of malware used in espionage hacking over the past 15 years (for instance, here and here) demonstrate that air gapping isn’t a foolproof protection. It nonetheless forces threat groups to expend significant resources that are likely obtainable only by nation-states with superior technical acumen and unlimited budgets. ESET’s discovery puts GoldenJackal in a highly exclusive collection of threat groups.
“With the level of sophistication required, it is quite unusual that in five years, GoldenJackal managed to build and deploy not one, but two separate toolsets designed to compromise air-gapped systems,” ESET researcher Matías Porolli wrote in Tuesday’s report. “This speaks to the resourcefulness of the group.”