Official forum for Utopia Community
You are not logged in.
An Eastern European industrial organization was the target of several attacks last year to steal data from air-gapped systems, all of which are thought to have been carried out by a nation-state actor with ties to China.
APT31, a hacker group also known as Bronze Vinewood, Judgement Panda, and Violet Typhoon (formerly Zirconium), was the group responsible for the intrusions, according to cybersecurity firm Kaspersky, who put their confidence in their conclusion with a medium to high level of certainty.
Based on their capacity to establish persistent remote access, gather sensitive information, and transmit the collected data to actor-controlled infrastructure, the attacks involved the use of more than 15 different implants and their variants. These implants were divided into three major categories.
One of the implant types "appeared to be a sophisticated modular malware, aimed at profiling removable drives and contaminating them with a worm to exfiltrate data from isolated, or air-gapped, networks of industrial organizations in Eastern Europe," Kaspersky said.
"The other implant type is intended to steal data from a local computer and send it to Dropbox with the aid of the subsequent implant types. ".
One collection of backdoors consists of various iterations of the FourteenHi malware family, which has been in circulation since at least mid-March 2021 and has a wide range of capabilities, including the ability to upload and download arbitrary files, execute commands, launch a reverse shell, and remove its own presence from the compromised hosts.
MeatBall is a second first-stage backdoor used for remote access and initial data collection. It has the ability to list active processes, enumerate connected devices, operate on files, take screenshots, and self-update.
A third type of first-stage implant that uses Yandex Cloud for command-and-control has also been found, echoing findings from Positive Technologies in August 2022 outlining APT31 attacks on Russian media and energy companies.
"The propensity to misuse cloud-based services (e.
g.
as well as Google, Yandex, and Dropbox. (which is not a new problem, but it keeps growing because it is difficult to contain or mitigate when an organization's business operations rely on the use of such services, according to Kaspersky researchers.
Threat actors continue to make it more challenging to identify and analyze threats by concealing payloads in encrypted form in separate binary data files and by putting malicious code into the memory of trusted applications using DLL hijacking and a series of memory injections. ".
Dedicated implants have also been seen being used by APT31 to steal data from air-gapped systems by infecting removable drives and gathering local files.
The latter malware strain consists of at least three modules, each of which performs a different function, such as handling and profiling removable drives, capturing keystrokes and screenshots, and installing subsequent malware on newly connected drives.
According to Kirill Kruglov, senior security researcher at Kaspersky ICS CERT, the threat actor made conscious efforts to obscure their actions using encrypted payloads, memory injections, and DLL hijacking.
While data exfiltration from air-gapped networks is a common tactic used by many APTs and targeted cyberespionage campaigns, the actor this time around has designed and carried out the operation specifically. ".
The aforementioned attack chains were specifically designed for the Windows environment, but there is evidence that APT31 has also targeted Linux systems.
The AhnLab Security Emergency Response Center (ASEC) discovered attacks earlier this month against South Korean businesses with the intention of infecting the machines with a backdoor referred to as Rekoobe.
According to ASEC, Rekoobe is a backdoor that can take instructions from a [command-and-control] server to carry out a number of tasks, including downloading malicious files, stealing internal files from a system, and executing reverse shell.
Although its structure may be straightforward, it uses encryption to avoid network packet detection and is capable of a wide range of malicious actions when given orders by the threat actor. ".
Offline
This research by Kaspersky is a perfect example of why physical isolation (air-gapping) is no longer enough. The fact that APT31 can use something as simple as a removable drive to bridge an air-gap shows that the "human element" is still the biggest security hole.
Key takeaways for our ecosystem:
• Abuse of Trusted Services: The article mentions how these actors use Dropbox, Yandex, and Google for C&C (Command and Control). This is a huge problem in the centralized world—you can't block these services without breaking a business, so the malware hides in plain sight. In Utopia, we don't rely on these third-party clouds, which removes that entire attack vector.
• The "Removable Drive" Worm: This modular malware that profiles and infects USB drives is terrifying for industrial systems. It’s a reminder that even if you aren't "online," your data is only as safe as your encryption.
• Why Decentralization Helps: While no system is 100% immune to local hardware infection, the decentralized nature of Utopia makes it much harder for an actor to "exfiltrate" data once they have it. There is no central server for them to send the stolen data to, and the multi-layered encryption of the P2P network makes "shadow" traffic much easier to spot compared to a standard office network.
It’s a constant arms race. Thanks for sharing this update, thrive—it’s a good reminder to keep our local encrypted containers locked and our firmware updated!
Offline