How to protect yourself from this “agile” group with “blindingly fast” attacks.
There are two ways to say ‘hello’ in Russian: a simple way, and a complicated one. “Privet” is the easy one. The other, “zdravstvuitye,” might tie an English speaker’s tongue.
Researchers say the Russian cyberattack group “Pawn Storm,” is greeting its victims with both simple and complex hacks that can leave your head spinning, and your secret files in the hands of spies.
And this holiday season, the group is well-prepared with new tools to sneak the presents right out of your stocking, according to researchers.
The group is known by many names, including “Sofacy.”
“Do you work with government or military contractors? Or are YOU the contractor? Then be warned: the Sofacy targeted attack actor has scaled up its activities – and may be interested in your data,” reported the Kaspersky Lab Business site.
A good year for Pawn Storm
Pawn Storm increased its attacks tenfold this year, according to Kaspersky Lab.
This group, called dynamic, daring and highly professional, has targeted NATO, the White House, and the French TV station TV5Monde, reported The Register.
Pawn Storm released wave after wave of attacks in 2015, still ongoing as of last month, said Kaspersky Lab. Some attacks include a new generation of a tool called a USB stealer, researchers said, and those attacks “appear to be geared exclusively towards high profile targets.”
Companies and agencies use “air gaps” to keep the bad guys away from sensitive information or crucial control systems. The computers that run those systems or hold that information are not connected to the Internet, like the rest of the computers in the company or agency. You might think of a castle with a moat, separating the king from marauders.
But Pawn Storm has come up with a way to bridge the air gaps, Kaspersky Lab said, using malware to infect USB sticks, so if you use the USB stick on both your connected computer and your air-gapped computer, the malware will secretly steal files and suck them out through the Internet.
Pulling down the drawbridge
Cybersecurity experts say companies and agencies should not rely on air gaps for protection.
“Air gapping has long been an Achilles’ heel of cybersecurity,” said Daniel Lance of Archer Security Group. “Think about it—even castles were breached when they had moats.”
“I have yet to encounter any truly air-gapped networks in my travels,” said Leonard Chamberlin, also of Archer Security Group. “There’s always some type of external communications path there, whether known or unknown, that prevents the network from being truly air-gapped.”
Lance said air gaps may make you let down your guard.
“Unplugging from a network isn’t removing vulnerability. It simply changes the attack vector,” explained Lance. “In some cases, it even improves the effectiveness of an exploit. If I believe my network is safe, I might start to ignore warning signs.”
Fortifying the castle
You may not be a military contractor in the crosshairs of Pawn Storm, but knowing your best defense can help you ward off attacks from any cybervillain.
Chamberlin highly recommends a security policy for removable media, such as USB flash drives.
He said the policy should address two things:
—The disabling of unused physical ports
—Comprehensive scanning/testing of any media before it is introduced to the production environment
“In other words, if you’re not using a USB port, it should be disabled so that it can’t be used,” Chamberlin said. “Additionally, USB flash drives should be scanned in a separate environment to ensure they’re clean before inserting any drive into any production computer.”
In addition, he said, you can add controls to connected computers that prevent them from making unexpected communications, like leaking out files from air-gapped computers.
“Deploying controls to only allow explicit ports and services to expected destinations would help mitigate any successful attacks from being able to ‘phone home’ to the attacker,” Chamberlin said.
“Controls such as outbound traffic filtering to only allow expected applications to communicate out to expected destinations will not only block unexpected traffic, but will enable alerts when that unexpected traffic is detected,” he added.
Kaspersky Lab Business also recommended controlling devices.
“The use of Device Control technology can limit the use of USB devices and prevent data from leaving the defensive perimeter – or attackers’ own toolset components from reaching into or outside of air-gapped networks,” said Kaspersky Lab Business.
“Concerned organisations should patch religiously and implement comprehensive in-house phishing penetration tests,” also reported The Register.
Relaxing by the fireplace on Christmas Day, eggnog in hand? Unfortunately, Pawn Storm will probably not take December 25 off, as Russia doesn’t celebrate Christmas until January 7. If you’re a possible Pawn Storm target, prepare to beef up your device control policy. If you are an “average Joe,” remember that USB sticks are once again a focus of attack, so you don’t have to say “privet”—or “zdravstvuitye”—to data thieves on the Internet.