Researchers from Kaspersky Lab announced they found a new espionage platform, most likely built by a nation-state, and used against other state organisations.
The platform, which they dubbed ‘ProjectSauron’, is ‘particularly interested’ in accessing encrypted communications. According to Kaspersky Lab, the platform hunts such communications down using an ‘advanced modular cyber-espionage platform’, comprised of a number of different and unique tools.
Researchers say traditional compromise indicators are ‘almost useless’ in this case, because ProjectSauron has noteworthy avoidance patterns.
It customises its implants and infrastructure for each individual target, and never recycles them, meaning it’s extremely hard to notice it.
ProjectSauron looks as it was created by an ‘experienced and traditional actor’, drawing inspiration from Duqu, Flame, Equation and Regin.
Iran, Rwanda, Russia and possibly a few Italian-speaking countries were targets. More than 30 victim organisations in these countries were identified, but Kaspersky Lab believes there are probably many, many more.
The platform usually targets government, military, scientific research centres, telecom operators and financial organisations. It seems as the platform has been in operation since 2011, and still remains active.
“A number of targeted attacks now rely on low-cost, readily-available tools. ProjectSauron, in contrast, is one of those that relies on homemade, trusted tools and customisable scripted code. The single use of unique indicators, such as control server, encryption keys and more, in addition to the adoption of cutting edge techniques from other major threat actors, is rather new. The only way to withstand such threats is to have many layers of security in place, based on a chain of sensors monitoring even the slightest anomaly in organisational workflow, multiplied with threat intelligence and forensic analysis to hunt for patterns even when there appear to be none,” said Vitaly Kamluk, Principal Security Researcher at Kaspersky Lab.