Security researchers have detected a highly advanced, five-year-old piece of malware that has been secretly targeting governments, militaries, telecoms companies, and scientific research centres.
It’s highly likely to be built by a nation-state, given its level of sophistication, and its targets have included organisations Russia, Iran, and Rwanda.
And it’s called Sauron.
Security firm Kasperspy has put out a new report detailing the malware, which it first detected in September 2015, and has been in use since 2011.
The company is calling it “ProjectSauron,” based on a string of code that uses the name “Sauron” — better known as the malevolent entity responsible for forging the Ring of Doom in his efforts to conquer Middle-Earth in J.R.R. Tolkien’s “The Lord of the Rings.”
“Top-of-the-top module cyber-espionage platform in terms of technical sophistication”
Here’s how Kaspersky describes the malware:
“The threat actor behind ProjectSauron commands a top-of-the-top modular cyber-espionage platform in terms of technical sophistication, designed to enable long-term campaigns through stealthy survival mechanisms coupled with multiple exfiltration methods. Technical details show how attackers learned from other extremely advanced actors in order to avoid repeating their mistakes. As such, all artifacts are customised per given target, reducing their value as indicators of compromise for any other victim.”
In English: ProjectSauron is extremely advanced, drawing lessons from other government-created malware and even the traces it leaves behind change from target to target to prevent people from noticing patterns and defending against it.
The malware, Kaspersky says, is focused on intelligence-gathering: It is “dedicated to just a few countries, focused on collecting high value intelligence by compromising almost all key entities it could possibly reach within the target area.”
More than 30 organisations were compromised, in Russia, Iran, and Rwanda — but “many more organisations and geographies are likely to be affected.” Organisations targeted included, governments, scientific research centres, militaries, telecommunications providers, and finance institutions.
One of ProjectSauron’s objectives is to gather info on its targets’ encryption software — used to encode highly confidential and classified data. “ProjectSauron has high interest in communication encryption software widely used by targeted governmental organisations. It steals encryption keys, configuration files, and IP addresses of the key infrastructure servers related to the software.”
So who’s behind it?
Kaspersky cautions against trying to attribute blame in an attack like this:
“Even with confidence in various indicators and apparent attacker mistakes, there is a greater likelihood that these can all be smoke and mirrors created by an attacker with a greater vantage point and vast resources. When dealing with the most advanced threat actors, as is the case with ProjectSauron, attribution becomes an unsolvable problem.”
But it does point out that all human-written text is in English, and it appears to have been coded with a Latin character set.
The attack is, the researchers write, similar in sophistication to previous top-of-the-line attacks, like Flame and Regin, which are believed to be developed by government intelligence agencies. “Whether related or unrelated to these advanced actors, the ProjectSauron attackers have definitely learned from these others.”