Security Experts Discover Sophisticated Cyberespionage Campaign Active Since 2011

Called Strider by Symantec and ProjectSauron by Kaspersky, the malware infected dozens of computers in Iran, Russia, Sweden, China, Belgium and Rwanda.

Cyber attack (illustrative).
Dreamstime

Cyber security experts have uncovered a sophisticated cyberespionage campaign that has targeted dozens of organizations in Iran, Russia, Sweden, China, Belgium and Rwanda since 2011. The new hacker group is being called Strider by experts at Symantec and ProjectSauron by the experts at Kaspersky.

"ProjectSauron is particularly interested in gaining access to encrypted communications," Kaspersky said, "hunting them down using an advanced modular cyber-espionage platform that incorporates a set of unique tools and techniques. The most noteworthy feature of ProjectSauron’s tactics is the deliberate avoidance of patterns: ProjectSauron customizes its implants and infrastructure for each individual target, and never reuses them. This approach, coupled with multiple routes for the exfiltration of stolen data, such as legitimate email channels and DNS, enables ProjectSauron to conduct secretive, long-term spying campaigns in target networks."

The two cyber security companies stated that the attacks that were discovered on dozens of computers in various organizations were created by a group of sophisticated hackers with "tentative links with a previously uncovered group, Flamer," as Symantec put it. Flamer or Flame is one of the programs considered to be connected to the Stuxnet software family. These, as has been reported many times since the initial report in the New York Times, were developed together by the United States and Israel, in order to harm the Iranian nuclear program.

That being said, the two companies aren't claiming that the same group is responsible for both attacks.  Kaspersky's report, for example, says that it seems that the creators of ProjectSauron "learned" a lot from the creators of Stuxnet.

According to Kaspersky 30 organizations have thus far been identified as victims of the attack, mostly in Russia, Iran and Rwanda, with more possible victims in Italy. It is believed that more companies in other regions were also attacked.  That being said, it is very difficult to identify every new target that has been infected based on ProjectSauron's mode of activity. Symantec identified 36 infected computers. Among those, computers belonging to government bodies, militaries, research centers, telecom companies and financial organizations.

Analysis of the findings led the researchers to the conclusion that ProjectSauron has been active since June 2011 and has remained active in 2016. The initial vector used to infect the victim's communication networks is still unknown.

“A number of targeted attacks now rely on low-cost, readily-available tools," Vitaly Kamluk, principal security researcher at Kaspersky said, "ProjectSauron, in contrast, is one of those that relies on homemade, trusted tools and customizable scripted code. The single use of unique indicators, such as control server, encryption keys and more, in addition to the adoption of cutting edge techniques from other major threat actors, is rather new. The only way to withstand such threats is to have many layers of security in place, based on a chain of sensors monitoring even the slightest anomaly in organizational workflow, multiplied with threat intelligence and forensic analysis to hunt for patterns even when there appear to be none.”