Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Nation-State

Cyberspies Target Air-Gapped Systems at European Government Organization

Cyberespionage APT GoldenJackal has been targeting air-gapped systems at government organizations and embassies.

The cyberespionage advanced persistent threat (APT) actor tracked as GoldenJackal has been observed targeting government organizations in Europe with tools designed to compromise air-gapped systems, ESET reports.

Showing small overlaps with Russia-linked cyberespionage group Turla, GoldenJackal has been active for at least five years, focusing on government and diplomatic entities in Europe, the Middle East, and South Asia.

Previous reporting on GoldenJackal revealed limited attacks against entities in Afghanistan, Azerbaijan, Iran, Iraq, Pakistan, and Turkey, but ESET has uncovered two other victims, namely a South Asian embassy in Belarus and a European Union government organization.

Although the attacks occurred years apart, the APT used malware targeting air-gapped systems to collect and exfiltrate sensitive information in both cases.

In August 2019, ESET says, the threat actor targeted a South Asian embassy in Belarus with multiple custom tools, including GoldenDealer, which can deploy executables on air-gapped systems via USB drives, the GoldenHowl backdoor, and GoldenRobo, which collects and exfiltrates files.

USB drives were likely infected when inserted into a compromised internet-connected system on which a worm component was installed. The same as the group’s JackalWorm, this worm component monitored connected USB drives to copy itself and GoldenDealer to them.

GoldenDealer was responsible for collecting information about the air-gapped system, sending it to a command-and-control (C&C) server when the drive was inserted into an internet-connected machine, and installing server-supplied executables when again inserted into the air-gapped computer.

“We have observed GoldenDealer running GoldenHowl on an internet-connected PC. While we didn’t observe GoldenDealer directly executing GoldenRobo, we observed the latter also running on the connected PC, used to take files from the USB drive and exfiltrate them to its C&C server,” ESET notes.

Advertisement. Scroll to continue reading.

Written in Python, the GoldenHowl backdoor was designed to run on internet-connected systems and consisted of modules responsible for functions ranging from persistence to C&C communication and data gathering and exfiltration.

Written in Go, the GoldenRobo component would execute the Robocopy utility to exfiltrate files to the C&C server. The cybersecurity firm believes that the attackers used another component to copy files from the air-gapped system to the USB drive.

Between September 2019 and January 2024, GoldenJackal also used the previously detailed JackalControl, JackalSteal, and JackalWorm malware against the embassy.

Starting May 2022, the APT was observed targeting a governmental organization in an unnamed European country with a new toolset, relying on a modular approach for performing various tasks, where some machines were used for data exfiltration, others as internal servers, and others for file collection.

“Most of these tools are written in Go and provide diverse capabilities, such as collecting files from USB drives, spreading payloads in the network via USB drives, exfiltrating files, and using some PCs in the network as servers to deliver diverse files to other systems. In addition, we have seen the attackers using Impacket to move laterally across the network,” ESET says.

The toolset included GoldenUsbCopy and GoldenUsbGo, which copy files to an encrypted container on inserted USB drives, GoldenAce, a distribution tool for propagating executables and retrieving files via USB drives, GoldenBlacklist and GoldenPyBlacklist, which are processing components, GoldenMailer and GoldenDrive, for file exfiltration, and Python’s HTTP server.

“Managing to deploy two separate toolsets for breaching air-gapped networks in only five years shows that GoldenJackal is a sophisticated threat actor aware of network segmentation used by its targets,” ESET notes.

Related: Iranian APT Operating as Initial Access Provider to Networks in the Middle East

Related: Kaspersky Flags Cyberespionage APT ‘CloudSorcerer’ Targeting Russian Government

Related: Google Sees More APTs Using Ukraine War-Related Themes

Related: Nation-State APT Targets Afghans With New Toolset

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Jared Bartel has been named CISO at Idaho State University.

Automated phishing protection and scam prevention company Bolster has appointed Rod Schultz as CEO.

Bugcrowd has appointed Trey Ford as CISO for the Americas.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.