Sysctl partner ESET have released a comprehensive study of APT groups and advanced attacks that have been done the last 15 years. In a research white paper called “JUMPING THE AIR GAP: 15 years of nation-state effort” they have a special focus has been on what the attackers have been using it to try to breach into air gapped systems - computers that are not connected to the Internet or corporate networks.

The white paper is both a deep dive into the various attacks, but also a meta study and try to synthesize trends and knowledge on a higher level.

Air gaps is a security control commonly used to protect and isolate critical systems, like industrial control systems or process control devices. By not being directly connected to other networks, the air gapped system is hard to reach for an attacker. Fewer attack paths exists and vulnerabilities are shielded by not being reachable over internal or external networks. Attacker frameworks have been developed to address this defensive action, to bridge the air gap and deliver malicious contents or attacks in other means than through network attacks. Many of these attacks are, naturally, carried out via mobile media devices, more specifically USB drives of various types.

The material in the ESET report is a very good overview of various attacker groups, what types of attack tools have been used, what attacker capability exists, what modus operandi has been used. The ESET white paper categorizes attacks and describes them in detail. Two appendices describe details about the different attack frameworks and the APT groups that use them.

All of the frameworks now described in the report had for long been used before they became public knowledge. Hence attacks can be launched months or years before the actual attack path was uncovered and could be blocked by fixing a specific vulnerability

Since air gap attacks normally are performed by using USB drives as a transport and injection method, it is important to have good protection for attacks launched via this attack path.

Of the various attack frameworks identified by ESET all of them were to bridge air gaps for windows systems, i.e. to trigger bugs and exploit vulnerabilities in the target windows environment when the USB was inserted.

By using sysctl Impex as a security control, the air gap attacks can be detected, blocked and reported.

One important principle adhered to by Impex is that the security control and its checks is outside of the targeted, and potentially vulnerable, air gapped systems. Bugs that previously had been triggered by the attack frameworks would have been triggered before malware checks had been performed on the target system.

Impex works by copying files between a source media and transferring them to another media. As such it will protect against bugs in the initial file system, malicious USB controller software, etc. The media exchange introduced by using Impex as an intermediary will solve certain type of attacks, especially low level attacks. Also, some of the air gap attack frameworks uses ghost or shadow partitions on the media where they save information. Since exchanging media as part of the transfer process used by Impex, this types of data will not be transferred in or out of the air gapped environment.

Impex also performs heuristics and signature checks on the files transferred using multiple antivirus scanners. Using multiple scanners allows a higher level of protection since it allows multiple, and differentiated, analysis of files and content.

By using Impex one can have control of imports as well as exports, hence not only check or protect against malicious code that enters an air gapped environment. Many of the air gapped attacks are used to not only attack and control devices in the air gapped environment but also to extract data or exfiltrate information, i.e. some type of espionage activity. Checks and tests can be performed for all files and all information that is extracted from the environment as well. By using the capability to run yara, Impex can work as an Data Loss Prevention, DLP, security control. Checks can be built by a specific customer to fit their setup to search or hunt for keywords or data structures in files that are not allowed to be exfiltrated. Impex will trigger on such events and send alarms and logs to the ICC server, which in turn can send mail to responsible staff or send logs to SEIM solutions.

Contact us at sysctl if you are interested in knowing more on how Impex can be used to help you protect your USB devices and to be compliant with mobile media handling.

Check in Esets blog post and download the actual Eset report in PDF format.