Kaspersky also caught new ‘Strider’ hacking group, releases its own report

On Tuesday, Kaspersky Labs shed more light onto a newly discovered, highly sophisticated hacking group that was first announced by its competitor on Monday.

Both companies appear to have been researching the hacking threat simultaneously.

{mosads}When Symantec announced the attacker it was calling “Strider,” it made special note that the malware in the attacks had a reference to the “Lord of the Rings” villain Sauron in its source code. Kaspersky, too, noticed the reference and has been calling the threat actor “ProjectSauron.”

“ProjectSauron is a very advanced actor, comparable only to the top-of-the-top in terms of sophistication: alongside Duqu, Flame, Equation, and Regin,” Kaspersky wrote in its report. Duqu, Flame, the Equation Group and Regin occupy rarified air in the threat actor community — all four have been tied at least in part to United States intelligence.

Kaspersky found infected computers in Russia, Iran and Rwanda to Symantec’s Belgium, China, Sweden and Russia. Based on the keywords the malware searched for, many of which were in Italian, Kaspersky speculated that there may have been attacks on Italian-speaking countries as well.

The ProjectSauron report is more detailed about the choice of targets than the Strider report. Kaspersky identified government facilities, scientific research centers, military facilities, telecommunication providers and financial institutions as principal targets.

The new report also goes into more detail on the ability of the malware to steal data from hard-to-reach places — including secrecy-focused Virtual Encrypted Networks and networks not connected to the internet, called air-gapped networks.

It can affix commands being sent to air-gapped networks to USB drives, which then send protected files and data back to the attacker, forcing users to unwittingly carry hidden files back and forth from different computers and spread the malware. 

Kaspersky’s report agreed with Symantec’s belief that ProjectSauron has been active since at least 2011. 

Unlike Symantec, which described the campaign as being used sparingly on extremely specific targets, Kaspersky believes the infections that have been found are only “the tip of the iceberg.”