How Was Malware Introduced to an Air Gapped Network?

"External network links are the lifeblood of most malware," said information security journalist Darren Pauli, in a recent article featured on The Register. In this article, Darren discusses a clever piece of malware that was sent to researchers at FireEye for investigation after it was found on an air gapped network.

An air gapped network has no direct connection to the internet, so data is typically moved on and off of devices via USB drives. This attack vector may sound familiar to anyone who remembers the game-changing Stuxnet malware and the attack on Iran's nuclear facilities. It was transported via USB drives [1], and consequently spurred a dramatic change in cyber security awareness at many high profile facilities worldwide, especially those in the nuclear power industry.

target icon

As Darren mentions in his article, there have been many other proofs of concept created in labs to demonstrate the vulnerabilities of air gapped networks — but most appear far-fetched, too expensive, or too slow to be practical.

So how did this particular piece of malware succeed in infecting the network? Multiple techniques appear to be in play:

  1. The malware was transported, at least partially, over USB drives
  2. Certain staff members or internet connected machines were targeted for attack
  3. Part or all of the malware payload was encrypted
  4. The malcode is separated into multiple pieces

Transport over USB

No futuristic techniques were used to get the malware on the air gapped network. It simply used the most common transport mechanism available in this scenario — a USB drive. The article mentions that internet-connected machines were targeted, and as soon as that machine was infected it would wait for any removable drive to be plugged-in. Upon detecting the plugged-in USB drive, the malcode was silently downloaded to the removable drive. Presuming that at least some of these removable drives would make their way into the air gapped network, it was simply a matter of being successful before being noticed.

Targeted Attack

For this USB drive vector to work, the attackers would have to have several pieces of knowledge about the environment, the users and their patterns. This type of reconnaissance is often an underestimated part of many serious cyber-attacks. At the very least, the attacker would have to know which internet connected devices were used with removable drives that were also used inside the facility. Often these internet-connected devices are dedicated computers used to download security software updates and other important information to be manually transferred via USB onto the air gapped network.

Encryption

Some parts of the malware were encrypted when stored on the USB drive. This simple obfuscation is sufficient to bypass an improperly configured malware scanner, as well as manual inspection by users or administrators. As a caveat, the article isn't clear about how advanced the encryption may have been — it's possible that the encryption itself was the most sophisticated part of the attack and details are not being revealed.

Multiple Pieces

Here's where things get really interesting. As mentioned by Cisco in some of their recent publications [2], malware writers are starting to break up their malcode into multiple pieces to evade detection. This case is similar but not exactly as described by Cisco. It's not quite a 'dropper' either [3]. Instead, it appears to be one piece of malware installed on the targeted machine, and this malware acts as a command and control server — creating 'workers' to travel on the USB drives and collect data on the air gapped network. Sometime later when that same USB is plugged back in to the internet connected machine, the command and control malware grabs the stolen information and uploads it to a server somewhere.

Prevention

MetaDefender KioskThere are organizations that specialize in providing products and services to protect air gapped networks. The industry leader is MetaDefender by OPSWAT. MetaDefender is a platform for providing unmatched security for SCADA controlled environments and industrial control systems. It is commonly deployed in a purpose-built hardened kiosk, providing numerous methods of stopping attacks like the one described here. Some capabilities of MetaDefender include:

  • File type conversion and data sanitization
  • Secure data workflow
  • Multi-scanning powered by Metascan
  • Data security policies
  • Data transfer auditing

Here's how this secure data workflow could have prevented the attack:

  1. First, the internet-connected computer is assumed to be infected. No internet-connected machine can ever be assumed to be clean.
  2. The removable media inserted into the internet-connected computer would be marked as 'outside-only'.
  3. When entering the air gapped facility, a kiosk would be present at the security checkpoint. The 'outside-only' media would be inserted into the 'in' USB port on the kiosk.
  4. A second USB drive, maintained by the facility as 'inside-only' would be inserted into the 'out' USB port on the kiosk.
  5. The input USB drive would be scanned with multiple anti-malware engines, and results would be displayed on-screen.
  6. Any files that could not be scanned (in this case the encrypted malware) would raise an alarm that the USB contained unscannable files.
  7. At this point, the process should stop and forensic investigation should begin. Let's assume that the process did not stop; is there another layer of protection?
  8. The user or security administrator would manually select only the desired files to transfer to the 'inside' USB drive.
  9. Any of these files could be converted to another file type, in effect wiping out any embedded malcode. For example: Word files could be converted to PDF or PDFs could be converted to images.
  10. The scanned and optionally sanitized files would then be safely transferred to the 'inside' USB drive.
  11. The employee would then take the 'inside' USB device with them into the air gapped network, leaving behind the 'outside' USB device (and its malware) to be picked up upon their exit.

As this article started, an air gapped network can instill a false sense of security. When working in critical infrastructure, the extra few minutes a day needed to enforce secure data workflow can literally save millions of dollars or even lives. And of course these same techniques can be used for traditional (non-air gapped) networks. Multi-scanning is an effective strategy for catching advanced malware, even when used in combination with sandboxing.

Update 2/24/15:

In Kaspersky's report about Equation, they have named a piece of malware dating back to 2008 with nearly the same behavior as the one described above — it is named Fanny. Detailed analysis of Fanny is provided separately from the rest of the report. The module in question is agentcpd.dll, "…a backdoor that was designed to work as an advanced reconnaissance tool for air-gapped computers that are normally used in highly secure facilities."

References

[1] Steven Cherry, "How Stuxnet Is Rewriting the Cyberterrorism Playbook," [Online]. Available: http://spectrum.ieee.org/podcast/telecom/security/how-stuxnet-is-rewriting-the-cyberterrorism-playbook. [Accessed 20 February, 2015].

[2] "Cisco 2015 Annual Security Report," [Online]. Available: http://www.cisco.com/web/offers/lp/2015-annual-security-report/index.html. [Accessed 20 February, 2015].

[3] "Dropper (malware)," [Online]. Available: http://en.wikipedia.org/wiki/Dropper_%28malware%29. [Accessed 20 February, 2015]

Sign up for Blog updates
Get information and insight from the leaders in advanced threat prevention.