Hacker in working showing malware attack on air-gapped systems

Suspected State-Backed APT Group Compromised Air-Gapped Systems in European Government With Custom Malware Attack

A new research report from ESET finds that the “GoldenJackal” advanced persistent threat group has the capability to compromise air-gapped systems, and has been deploying it in Europe since at least 2022. The custom malware attack appears to require physical access to the target system, as one would expect, but the group appears to be able to pull it off by first compromising USB drives that will later be connected to these systems.

GoldenJackal remains a bit of a mystery in that it is strongly suspected to be state-affiliated, but there is not yet a strong consensus as to for whom it works. Some researchers have linked it to North Korea, while others note it shares tools and techniques with a known Russian intelligence group. This is in spite of the group being active since at least 2019, primarily targeting governments in South Asia and the Middle East.

Air-gapped systems exploited by custom set of malware tools

ESET reveals that GoldenJackal has compromised at least two air-gapped systems, and both of these attacks seem to have gone undocumented for quite some time. The first was the Belarus embassy of an unspecified South Asian country, the initial compromise of which was at some point on or before August 2019. The second incident took place from May 2022 to March 2024 at a government organization in a European country.

The malware attacks are aimed at stealth data gathering over an extended period. ESET describes the toolkit as having a broad range of capabilities focused on exploiting air-gapped systems that have been separated due to the sensitive classified information they hold.

GoldenJackal has previously been known to focus on diplomatic entities and government targets, but this is the first formal word of it successfully targeting air-gapped systems. ESET notes that only state-backed APT groups have previously been observed even attempting malware attacks against these types of systems, due to the complexity involved in pulling off the scheme and the amount of resources that must be put into it. In all previous known cases, the attacks were for the purpose of espionage.

The exposure of the scheme appears to have started with the 2022 discovery of a custom toolset that appeared to be focused on exploiting air-gapped systems. At the time, ESET could not attribute it to any known APT groups. But matching tools were discovered at the unspecified European government organization earlier this year, allowing the researchers to trace back and also match these tools to the prior malware attack in Belarus in 2019. ESET believes the threat group returned to target that embassy again in July 2021, and that it has made additional attempts against government organizations in Europe, the Middle East, and South Asia.

Each of the documented malware attacks also used a different and highly customized version of the toolset; the main components of the initial Belarus attack were not used again, and the version that appeared in Europe later was more sophisticated and modular.

Malware attack jumped to segregated systems via USB drives

As to how the attackers gained access to the air-gapped systems, it appears that USB drives connected to internet-facing networks at the target organization were compromised remotely. These drives were then physically walked to the systems and plugged in by staff at some point. With the initial version of the malware, called GoldenDealer, the target would have to click on a file on the drive disguised to look like a common folder.

An interesting point is that the malware attack would apparently only gather information on the target air-gapped system on first exposure, not beginning to collect files until the drive was brought back a second time. This would indicate that the attackers were deeply familiar with what drives were regularly walked by the targets to and from these systems. After the first exposure, GoldenDealer would simply run automatically when the drive was connected without requiring any further user interaction.

The malware attacks share a command-and-control protocol with one commonly used by Turla, a group believed to be run by Russia’s FSB intelligence service. However, in recent years some researchers have pegged GoldenJackal to North Korea’s Reconnaissance General Bureau (RGB) military agency. There is also still not a definitive word on how the group initially penetrated each of its targets. ESET did not present any theories, but a prior report by Kaspersky indicates the group has been spotted using Word documents with malicious macros and fake Skype installers to phish employees.

While the focus has been on espionage thus far, air-gapped systems are also often used for the controls of elements of the power grid and other components of critical infrastructure. Ray Kelly, Fellow at Black Duck Software, notes that this should be considered given the seeming focus on sabotage by certain nation-state actors: “This case is reminiscent of the STUXNET attack, where self-propagating malware was introduced into Iran’s Natanz nuclear facility via a USB drive. It highlights that, even today, air-gapped networks require strict controls when it comes to using portable drives and robust malware detection software to help defeat these threats.”