Turns out even air-gapping (disconnecting computers from the Internet to protect against cyber intrusion) isn’t a foolproof way to avoid getting hacked. Researchers from Kaspersky Labs, at its annual Security Analyst Summit in Cancun, Mexico in February, presented detailed findings of pervasive malware and embedded surveillance tools that have largely gone undetected for more than a decade -- tools that can hop air-gapping.
Researchers from the Moscow-based Kaspersky Labs implied that the surveillance tools were developed and deployed by the US National Security Agency (NSA). They reported that attendees from a 2009 scientific conference in Houston were sent a CD of the conference proceedings. The CDs were tampered with on their way through the mail and when they arrived at its destinations, they contained booby-trapped contents. When loaded on a computer -- even air-gapped computers -- a worm was let loose. Kaspersky Labs dubbed these worm-creators the “Equation Group.”
Some of the startling revelations about the Equation Group’s offered by Kaspersky Labs::
- The group created a program to systematically penetrate and map air-gapped systems.
- Their malware operates at the firmware level that enables discovery of encryption keys, cracks encryption algorithms, and remains in place through an operating system reinstall.
- The malware replaces hard-drive firmware to create a secret storage area on a hard disk that can survive drive reformatting.
- Some of this malware has existed since 2001 and has gone undetected until last month.
MORE FROM DESIGN NEWS: 2014: A Monumental Year for Cyber Attacks
These findings raise some interesting and troubling questions for the cyber security industry, and specifically for those working within critical infrastructure. Chief among them is, what are organizations going to do to protect their systems? “From the perspective of helping people in the industrial automation space, it’s important to ask, “How proactive do I need to be?” said Alan Grau, CEO of Icon Labs, a company that works in cyber security.
One of the chilling revelations about the Equation Group is that its advanced cyber intrusions were done more than a decade ago. Where does that put the bad actors today? “Some of the technology described by Kaspersky Labs is 12 to 14 years old. If the NSA was doing this a decade ago, how about the bad actors outside the US?” said Grau. “If they’re a decade behind the US in their cyber security, they must be pretty sophisticated now.”
Another implication from Kaspersky Labs is that the Equation Group’s cyber intrusions were more than traditional hacking. Some of the worms did not just rely on cyber attacks. They were insider attacks and social media attacks. “If they’re going to use insider attacks, they can take a long view of things,” said Grau. “They can get somebody in place somewhere and build upon it. The insider can be an employee or someone who installs equipment.”
One of the biggest news items from this year's Security Analyst Summit is that air-gaps are not secure. For years, security experts have been saying, take your sensitive data offline. Now we find offline is still not safe. “There is malware that can jump systems. One security group decided to penetrate a company, so they took DVDs with the movie Spring Break and put malware on them. Then they spread them around the company,” said Grau. Apparently 70% of the DVDs were used on the company’s offline system. “If you’re getting a free stick at a trade show, how do you know there isn’t malware on the stick? The sticks say they’re made in China,” said Grau.
MORE FROM DESIGN NEWS: Protect Your Hardware from Hacking
Grau noted that he was in a customer meeting and someone said their system was air-gapped. One of the engineers present gave a skeptical look. Someone asked how long an air-gap lasts. Grau answered, “After we bring it in, it’s no longer air-gapped.” Some portion of the air-gapped computer is connected to the corporate network at some moment. “Few companies are perfect at air-gapping, and even if you are air-gapped, your system can be breached by an insider attack or by media,” he said.