How to infect air-gapped computers with malware!

Nov. 13th, 2024 12:41 pm
thewayne: (Default)
[personal profile] thewayne
We first need to define what an air-gapped computer is. This is a computer with no external network connection: no ethernet cable (going to an outside connection, could have an internal network that has no outside connections), no modem, no WiFi, odds are that the mouse and keyboard are hard-wired rather than Bluetooth. And it's probably kept in a room that is hardened against radio signal penetration and with no windows.

Secure, right?

Ask the Iranians if their centrifuge facility was secure against IT intrusion.

A nation state actor, most likely Russia, figured out an attack against air-gapped PCs. The vector? USB drives. This is why if you want to really secure your network, you take a tube of epoxy to USB and other ports. The attack was first observed launched against a South Asian embassy in Belarus in 2019. It was since been used against an EU agency in 2022. The toolset is known as GoldenJackel.

The basics are quite simple. Infect a computer of someone whom you know works with the secure system that you want in to. Infect every USB device that they plug in, trusting that eventually said USB flash drive will be plugged into the secure system to transfer information to/from. The air-gapped system now gets infected. Information gets mapped out, written to a USB drive, exfiltrated via a non-secure computer, analyzed by the controllers, and they can plot what to exfiltrate next.

It's an interesting write-up, though it can get a little deep in the weeds. It once again proves that computer security is very hard, and trying to keep ultra-secure environments secure is probably even harder. I'm not sure how you'd improve the security in this scenario, you're going to have to move information in and out of the secure air-gapped system for it to be useful, it's a thorny issue.

There's a joke that the only secure computer has no network connection, no power, and is encased in a block of concrete. Very hard to hack that one!

https://arstechnica.com/security/2024/10/two-never-before-seen-tools-from-same-group-infect-air-gapped-devices/
Tags:
  • Add Memory
  • Share This Entry
Flat | Top-Level Comments Only

Date: 2024-11-13 11:21 pm (UTC)
lovelyangel: (Tachikoma Excited)
From: [personal profile] lovelyangel
That very, very secure computer is how the big AI computer is set up in the SF books. Then everyone has the problem of how to shut down the computer when the AI goes rogue. 🤔

Date: 2024-11-13 11:46 pm (UTC)
thewayne: (Default)
From: [personal profile] thewayne

'Tis true, dat!

Date: 2024-11-13 11:32 pm (UTC)
ranunculus: (Default)
From: [personal profile] ranunculus
You know, there is a reason that I keep no financial info on my phone, and that I really hate it when some online platform insists that they keep my credit card "on file". No, really, eventually you -will- get hacked... I used to work hacker conventions where even the stagehands could hack your phone if bluetooth wasn't turned off.

Date: 2024-11-14 12:59 am (UTC)
disneydream06: (Disney Surprised)
From: [personal profile] disneydream06
I've never heard of a computer like that. :o

Leave it to the Russians to get infectious. :o
Hugs, Jon

Date: 2024-11-14 06:27 am (UTC)
thewayne: (Default)
From: [personal profile] thewayne

We did a very similar thing, destroying the Iranian centrifuges with Stuxnet.  It went in on an infected USB drive, but it wasn't an in-and-out in communications with a control server system.  In many ways, this is much much more sophisticated.

Date: 2024-11-14 03:43 am (UTC)
devilc: Drill Instructor Sullivan about to zero in on someone (Default)
From: [personal profile] devilc
Ah yes, the sneakernet still works.

Date: 2024-11-14 06:27 am (UTC)
thewayne: (Default)
From: [personal profile] thewayne

Indeed it does!

Date: 2024-11-14 05:23 pm (UTC)
devilc: Drill Instructor Sullivan about to zero in on someone (Default)
From: [personal profile] devilc
The thing is? Beyond putting glue in an USB socket, which is problematic because you may need that socket, there's another way to handle this.

You also make it a "clean" building. To walk to any "serious" work space, you will strip and put EVERYTHING in your work locker, and dress in work issued clothing and equipment before entering the work space. Need to know the time? You get a work-issued dumb watch.

Any piece of equipment to be used in work spaces comes in factory sealed and is tested against specs before deploying.

A friend's husband works in a facility like this in the US. You aren't allowed to bring any kind of smart device beyond a certain point, and you are issued a phone that only makes phone calls -- no camera, no texting -- for use on site.

We are fortunate this wasn't done by the Iranians.
Edited (Fix typo and add final thought.) Date: 2024-11-14 05:24 pm (UTC)

Date: 2024-11-14 06:35 am (UTC)
silveradept: A kodama with a trombone. The trombone is playing music, even though it is held in a rest position (Default)
From: [personal profile] silveradept
Makes sense that USB drives would be the primary vector of infection, especially if it were malware stored in places that don't get wiped when drives get wiped. Someone's secrets sold to the Internet, eventually, or used to expose shady operations, would certainly make these tools useful.
  • Add Memory
  • Share This Entry
Flat | Top-Level Comments Only

Profile

thewayne: (Default)
The Wayne
Spare Brains Games

January 2026

S M T W T F S
    1 23
45678910
11121314151617
18192021222324
25262728293031

Most Popular Tags

Page Summary

Style Credit

Expand Cut Tags

No cut tags
Page generated Jan. 3rd, 2026 05:08 pm
Powered by Dreamwidth Studios