Air-gapped systems are a mainstay of IT security — but even air-gapped systems can be vulnerable to sophisticated attacks.
According to a report from ESET Research, government agencies in Europe are learning this lesson the hard way. The GoldenJackal hacking group has allegedly breached at least two air-gapped systems by using custom toolsets, primarily utilizing USB pen drives to compromise the systems.
“With the level of sophistication required, it is quite unusual that in five years, GoldenJackal managed to build and deploy not one, but two separate toolsets designed to compromise air-gapped systems,” the report notes.
How Air-Gapped Systems Can Be Compromised
By definition, air-gapped systems aren’t connected to networks (much less the internet). Organizations typically air gap the systems that meet two criteria: One, they’re vital or valuable in some way; and two, they hold data that does not require regular access from multiple users.
In enterprise settings, air-gapped systems are often backups or archives. But in government, air-gapped systems may be even more valuable — they might hold voting data, control power grids, or serve other essential functions.
“The purpose of such attacks is always espionage, perhaps with a side of sabotage,” ESET notes.
Compromising an air-gapped system requires time, patience, and ingenuity (not to mention a few key errors on the part of the victim). GoldenJackal allegedly utilized a “new, highly modular” toolset to collect and exfiltrate files.
ESET and Kaspersky have not identified a vector for the two attacks, which impacted a South Asian embassy in Belarus and a separate European entity. However, researchers believe that executables were delivered to the target air-gapped systems via USB drives.
That component — nicknamed GoldenDealer by ESET — was accompanied by a backdoor (“GoldenHowl”) and a file collector/exfiltrator (“GoldenRobo”).
Related: Paying a Ransomware Ransom Is (Usually) Illegal
Enterprises Air-Gapped Systems May Be Susceptible to Other Attacks
In general, bad actors will target networked systems when attacking enterprises, for a simple reason: It’s much, much easier than creating and delivering a set of novel tools for an air-gapped system.
But in tape backup recovery cases, we’ve seen ransomware variants that were intentionally designed to sit on systems without executing; the goal is to ensure that the malicious software infects all systems, including air-gapped computers, to prevent recovery efforts following said execution.
One potential solution is to create a “golden copy” backup with essential functionality that can be used following a major attack. Of course, this approach sacrifices valuable data — a robust security policy is just as necessary as a strong backup/disaster recovery plan.
Protecting Your Air-Gapped Backups
While air gaps are not impenetrable, they remain a valuable security layer, provided that other potential vulnerabilities (such as USB access) are properly sanitized.
Organizations can strengthen their defenses by implementing comprehensive security measures:
- Security Awareness Training: Educate employees about social engineering tactics, the risks of removable media, and the importance of secure practices.
- Strict Access Controls: Implement strong authentication and authorization mechanisms for both physical and logical access to air-gapped systems.
- Regular Security Audits and PEN Testing: Conduct periodic security assessments and penetration (PEN) testing to identify vulnerabilities and ensure the effectiveness of security measures.
- Endpoint Security: Deploy robust endpoint protection solutions to detect and prevent malware infections on connected devices that could potentially interact with the air-gapped systems.
- Data Encryption: Encrypt sensitive data at rest and in transit to minimize the impact of a successful breach.
- Incident Response Plan: Develop and regularly test an incident response plan to effectively handle security incidents and minimize data loss.
If you’re building a ransomware strategy, Datarecovery.com can help. With resources for disaster recovery planning, enterprise data recovery, penetration (PEN) testing, and dark web monitoring, we provide organizations with essential tools for limiting vulnerabilities — and for recovering from novel attacks.
To learn more, call 1-800-237-4200 and speak with a member of our team.
