A Mysterious Hacking Group GoldenJackal Targets Embassies, Steals Data From Air-Gapped Systems

INTRODUCTION:

The cybercriminal organization, GoldenJackal, has drawn attention for its advanced hacking techniques. GoldenJackal's strategy is both unique and dangerous because it focuses on air-gapped systems rather than the usual cyber threats that target online systems.
Their proficiency in getting beyond traditional security measures and their latest breakthrough has piqued the curiosity of the cybersecurity community. They have found ways to extract data from systems that were thought to be almost impossible to hack before.
This discovery highlights the need for strict security measures, even in the most secure environments, and the dynamic nature of cyber threats.

What Do Air-Gapped Systems Mean?

A computer or network that is “physically separated” from the internet or any other external network is referred to as an air-gapped system. Because of this seclusion, there are no direct connections to the outside world, not even by wires or Wi-Fi. High-security industries, such as governmental organizations, military units, and vital infrastructure facilities, frequently use these kinds of systems. Organizations seek to protect these systems from remote threats by disconnecting them from the internet.

How Golden Jackal Bypasses Air Gaps: Key Malware Used by GoldenJackal

Let's now examine how Golden Jackal manages to get inside these extremely safe, air-gapped systems. While analyzing assaults against a European government agency, ESET security experts discovered a new set of tools. The GoldenJackal organization, which Kaspersky Lab connected to similar operations last year, was the source of the malicious payloads provided by this toolkit, which was primarily constructed in Go. Earlier, Kaspersky categorized GoldenJackal's. NET-based malware tools such as JackalControl, JackalWorm, JackalSteal, JackalPerlInfo, and JackalScreenWatcher. More malware programs written in Python and Go have now been found by ESET.
They use a combination of shrewd strategies that include both software manipulation and physical access. This is a simple summary of their techniques:

1. Physical Access

The attacker initially accesses a machine that is connected to the company's network, like a server or laptop.

This could entail:

Using a USB drive:

Malware can be installed on the air-gapped machine if a hacked USB drive is introduced into it. After that, the malware can start collecting information and getting it ready for transmission.

GoldenUsbCopy keeps an eye out for USB drive insertions on a system, assesses files using standards specified in an encrypted configuration file, and then archives and moves the chosen files into a disk container that is encrypted. Later, data exfiltration is done with other tools.

Compromise Employees:

Attackers may trick or reward staff members who have access to vital systems, causing them to unintentionally help by distributing dangerous software or inserting malicious devices.

Researchers from ESET noted that GoldenJackal attacked the EU organization using a modular method. They stated, "Certain hosts were exploited to extract files, some functioned as local servers to manage the transfer of staged and configuration files, while others were targeted for file collection, serving espionage objectives."

2. Stealth Malware:

Golden Jackal uses advanced malware that may hide inside a system and wait for the right moment to steal data. Because air-gapped computers usually don't receive regular updates and don't employ internet-based security tools that could detect such attacks, this kind of malware frequently goes undetected.

GoldenAce uses USB devices to transfer malware to other computers and can enter air-gapped networks. JackalWorm, a USB-based infection that Kaspersky Lab has previously documented, is the payload. After looking for any drive letter connected to a volume, GoldenAce determines whether the drive's root contains a "trash" directory. If not, a file called "update" is placed inside the directory, which is created as a hidden folder.

The first folder on the drive is then hidden by the utility, which also installs a copy of JackalWorm and renames it to match the name of the hidden folder with a.exe extension. By disguising itself as a folder icon, the JackalWorm executable fools users into thinking they are opening a folder they are familiar with.

When JackalWorm is invoked, it runs the "update" file in the hidden Trash folder and opens the hidden folder in Windows Explorer to simulate expected behavior and allay suspicions. When the USB is returned to the original machine, GoldenAce can recover the stolen files from the Trash folder thanks to this update file, which most likely serves as a data collection tool.

3. Side Channel Data Transmission

Golden Jackal has developed creative ways to extract data from air-gapped devices, even when there is no internet access. These methods, referred to as side-channel attacks, consist of:

• Electromagnetic emissions:

The feeble electromagnetic waves that are released by all electrical devices are known as electromagnetic emissions. With the use of sophisticated equipment, hackers can pick up these emissions and decode them to obtain private data.

• Acoustic signals:
  It's surprising to learn that sounds made by a computer's hard disk or fan can be altered to transmit secret messages. These sounds can be remotely recorded by hackers, who can then utilize them to send data.

• Light Signals:
  Modulating the light that computer LEDs, like those on screens or external devices, emit is another method. These lights can blink in particular patterns, encoding data that cameras and other devices can decipher.

4. Retrieving the data

When the data is prepared for extraction, Golden Jackal might use physical means or a compromised insider to get it. An unwary person may, for instance, connect a USB device that secretly downloads the stolen data before giving it to the attackers.

Data exfiltration is made easier by the programs GoldenMailer and GoldenDrive. GoldenMailer is a Python program that emails archived files to accounts under the control of an attacker. GoldenDrive, which was developed in Go, uploads files straight to Google Drive. Researchers also discovered that some computers had a Python-coded web server that was probably meant to distribute files across a network.

GoldenBlacklist and GoldenPyBlacklist seem to have different ways of doing the same thing, which is to arrange stolen emails for exfiltration. To use these tools, an email archive that has been downloaded from a server is analyzed, messages from particular blacklisted senders are filtered out, and an encrypted archive ready for exfiltration is created.

What Makes This Risky?

The most sensitive information is protected by air-gapped systems, which act as a fortress for vital infrastructure, financial records, and military secrets. The consequences could be disastrous if organizations like Golden Jackal can compromise these systems:

The disclosure of top-secret military plans and government operations could result from unauthorized access to defense agencies' air-gapped networks.

The potential for a successful hack into air-gapped systems that manage transportation networks, water supplies, or power grids may destabilize entire countries.

Sensitive information may be stolen as a result of financial institution breaches, which could cause severe economic unrest.

How to Protect Air-Gapped Systems

The need for a strong, multi-layered security approach for air-gapped systems is underscored by the emergence of attacks such as Golden Jackal. The following actions should be the emphasis of organizations:

Physical Security: To prevent unauthorized users from accessing air-gapped systems, enforce strict physical access controls.

Disable External Ports: The risk of malware penetration can be considerably decreased by limiting the use of USB drives and other external devices.
To find and fix any possible flaws, do routine monitoring and inspections of physical security procedures.

Network Segmentation: To reduce the attack surface and restrict lateral movement, improve network segmentation.

Endpoint Security: Make sure that the most recent security updates are regularly installed on all endpoint devices, such as servers and laptops. Deploy comprehensive endpoint detection and response (EDR) systems to keep a vigilant eye on any malicious activities.

Utilize Faraday Cages: For highly sensitive environments, organizations can secure computers within Faraday cages. These structures prevent electromagnetic signals from escaping or entering, thereby complicating potential side-channel attacks.

Employee Training and Awareness: It's crucial to inform staff about the dangers of social engineering and the significance of adhering to security protocols. By raising awareness about the vulnerabilities of air-gapped systems, employees can be better equipped to avoid inadvertently facilitating an attack.

Frequent Security Assessments: Regularly perform security audits and penetration tests to uncover and rectify any weaknesses.

Incident Response Strategy: Formulate a detailed incident response strategy to ensure a swift and effective reaction to any security breaches.

CONCLUSION

The Golden Jackal threat highlights that no system is completely safe from cyber threats. By comprehending the strategies employed by sophisticated threat actors and adopting strong security practices, organizations can greatly diminish the likelihood of successful attacks on their air-gapped systems.