The malware was discovered by researchers at Kaspersky Lab and Symantec. It was first detected on an unspecified government network last September when Kaspersky was hired to investigate “anomalous network traffic” detected on a machine.” It has since been found in the networks of over 30 government, military, telecommunications and financial organisations.
Kaspersky eventually tracked the unidentified network traffic to a “strange” executable file claiming to be a Windows password filter. These programs are deployed on networks to allow administrators to define limitations for passwords, such as case and length.
The executable started up every time a user logged on or a password was entered. It could access passwords in plaintext, allowing it to send them directly over the network to its creators.
Kaspersky soon realised the scale of what it had discovered, uncovering a highly sophisticated form of malware designed to steal passwords, encryption keys, configuration files and log stores from some of the most sensitive computers in the world. It then goes on to log keystrokes and open a back door to the compromised machine, giving the attackers complete control.
Project Sauron was designed to be able to infect computers protected by some of the most extensive firewalls in existence. It can even infect air-gapped computers, systems that have no internet connection and cannot be attacked by usual methods. Sauron used specially prepared USB drives to bypass this mechanism, allowing it to infect machines so sensitive that they’ve been specially isolated by their owners. The malware’s authors created USB drives that initially appear to be standard mass storage devices. They also contain a hidden partition of several hundred megabytes though. This stores a virtual file system used to transfer data from the target air-gapped system.
The attack is so complex that Kaspersky still isn’t sure exactly how it works. The hidden partition isn’t any use until the computer has already been compromised. Kaspersky doesn’t know how this crucial first step is achieved. It speculated that the authors are exploiting an unknown zero-day vulnerability that is yet to be discovered.
Sauron is also almost impossible to detect. Unlike other malware, it appears differently on every target machine. Most malware leaves behind tell-tale signs, such as connections to specific command servers, that can be used to identify other infections. Sauron is far more careful. Its creators pick a different server for each target, going to great lengths to ensure no two machines create the same software “artifacts.”
“ProjectSauron comprises a top-of-the-top modular cyber-espionage platform in terms of technical sophistication, designed to enable long-term campaigns through stealthy survival mechanisms coupled with multiple exfiltration methods,” said Kaspersky. “Technical details show how attackers learned from other extremely advanced actors in order to avoid repeating their mistakes.”
The malware is now known to have been active since at least 2011. Its ability to operate unnoticed for over five years indicates its complexity. Project Sauron is a highly sophisticated utility created by very experienced hackers. It is thought to have been made using a budget in the millions of dollars.
Kaspersky and Symantec said they believe its authors studied other “top-of-the-top” malware utilities such as Duju, Flame, Equation and Regin. Some of the networks had these programs installed alongside Sauron, a strong suggestion that the malware was created by someone else. With such a high budget and an extraordinary level of expertise, Kaspersky and Symantec said it’s likely Sauron was built by government-sponsored actors, although they stopped short of naming a suspect country.
