Separating networks with an air gap without additional security precautions won’t protect them from attack, according to research by security firm ESET.
An air-gapped network is physically isolated from any other networks to increase the security of the most sensitive and high-value systems within an organization. Industrial control systems running pipelines and power grids, voting systems, or SCADA systems operating nuclear centrifuges are among the use cases for air-gapping.
However, in a report ESET says there are at least 17 frameworks being used by attackers — many of them advanced persistent threat actors (APTs) — for getting into air-gapped systems. In the first half of 2020 alone, four previously unknown malicious frameworks designed to breach air-gapped networks were found.
“For organizations with critical information systems and/or classified information, a loss of data could be hugely damaging,” says Alexis Dorais-Joncas, ESET’s security intelligence team lead, said in a statement. “Because of this, prioritizing detection and mitigation methods to protect air-gapped networks is crucial.”
The report looks at all 17 of the frameworks and found a number of commonalities:
- all the frameworks are designed to perform some form of espionage;
- all the frameworks used USB drives as the physical transmission medium to transfer data in and out of the targeted air-gapped networks;
- there were no cases of actual or suspected use of covert physical transmission;
- over 75 per cent of all the frameworks used malicious LNK or autorun files on USB drives to either perform the initial air-gapped system compromise or to move laterally within the air-gapped network;
- more than 10 critical severity LNK-related remote code execution vulnerabilities in Windows have been discovered, then patched by Microsoft, in the last 10 years;
- all the frameworks were built to attack Windows systems. No evidence has been found of actual or suspected malware components built to target other operating systems.
Frameworks for attacking air-gapped networks aren’t new. The report says one dates back to 2005. Arguably the most well-known is Stuxnet, reportedly used by the U.S. and Israel to disrupt centrifuges in Iran. Some frameworks are attributed to well-known threat actors, while attribution of others is murky.
ESET defines air-gapped network malware as malware, or a set of malware components acting together (a framework), that implements an offline, covert communication mechanism between an air-gapped system and the attacker that can be either bi-directional (command and response) or unidirectional (data exfiltration only).
The most basic connected frameworks only have online connectivity with the attacker for data exfiltration purposes, says the report. The most powerful ones support a two-way communication protocol. Through a compromised system on the connected side, the attacker sends commands to the malware placed on the air-gapped network. This is done via a covert communication channel often placed on a USB drive. This feature grants the attackers the ability to remotely run arbitrary code inside air-gapped networks.
In the other, rarer cases, the attack scenario does not involve any internet-connected systems at all. ESET call these “offline frameworks”. In these cases, everything indicates the presence of an operator or collaborator on the ground to perform the actions usually done by the connected part of connected frameworks, such as preparing the initial malicious USB drive responsible for the execution on the air-gapped side, executing the malware on the air-gapped system, extracting the exfiltrated data from the drive and sending additional commands to the air-gapped side.
Over the years researchers have pointed out that that air-gapped systems are outdated because, by definition, they are isolated and thus can’t reach update servers. ESET says this leads to the question – is maintaining a fully air-gapped system doing more harm than good?
“Unfortunately, there is no right answer.” says Dorais-Joncas. “Maintaining a fully air-gapped system comes with the benefits of extra protection. But as we have learned, these outdated systems can quickly become vulnerable to malicious actors who prey on employee habits.”
The report makes the following recommendations for detecting and mitigating attacks:
- Prevent email access on connected hosts – Email is the most frequent technique used by attackers to compromise connected systems, often through malicious attachments. The attacker usually deploys a component on the connected system that will monitor the insertion of new USB drives and automatically place the malicious code needed to compromise the air-gapped system on them. Preventing direct access to emails on connected systems would mitigate this infection vector. This could be implemented with browser/email isolation architecture, where all email activity is performed in a separate, isolated virtual environment;
- Disable USB ports and sanitize USB drives – Physically removing or disabling USB ports on all the systems running in an air-gapped network is the ultimate protection. While removing USB ports from all systems may not be acceptable for all organizations, it might still be possible to limit functional USB ports only to the systems that absolutely require it. A USB drive sanitization process performed before any USB drive gets inserted into an air-gapped system could disrupt many of the techniques implemented by the studied frameworks;
- Restrict file execution on removable drives – Several techniques used to compromise air-gapped systems end up with the straight execution of an executable file stored somewhere on the disk, which could be prevented by configuring the relevant Removable Storage Access policies;
- Perform regular analysis of the system – Performing a regular analysis of the air-gapped system to check for malicious frameworks is an important part of security in order to keep data safe.
