Researchers have found advanced malware that can steal encryption keys, collect information from air-gapped computers, and record someone’s keystrokes without being detected. The researchers have no idea who designed the malware, named Project Sauron, but it’s so sophisticated they’re convinced it must be a “nation-level” organization. Instead of pointing fingers (or respecting Lord of the Rings lore), they’re calling Project Sauron’s creator “Strider.”
Both security firms marvel at its complexity:
“The threat actor behind [Project Sauron] commands a top-of-the-top modular cyber-espionage platform in terms of technical sophistication,” Kaspersky Lab writes in its paper on the tool, “Designed to enable long-term campaigns through stealthy survival mechanisms coupled with multiple exfiltration methods.”
Which means it probably wasn’t created by a small group of people doing whatever the hell they’re doing in this ridiculous “hacking” scene from Arrow:
Instead, Kaspersky and Symantec think that “Strider” is probably directly affiliated with a major world government. The two security research firms aren’t pointing fingers at the United States, but for the most part, Project Sauron’s targets aren’t friends of America.
Kaspersky Lab found the malware lurking on computers in Russia, Iran, and Rwanda; Symantec also found it on devices in Belgium, Sweden, and China. Project Sauron is said to have targeted government embassies, telecom companies, scientific research centers, and an airline, among other groups.
Project Sauron has been lurking on unsuspecting computers for quite a while, learning from its predecessors like Flame, Duqu, and other sophisticated malware programs. It’s an extraordinary piece of code, and both Symantec and Kaspersky are reasonably certain that “Strider” is being run by a national government.
“Strider is capable of creating custom malware tools and has operated below the radar for at least five years,” Symantec writes in its report on the sophisticated malware. “Based on the espionage capabilities of its malware and the nature of its known targets, it is possible that the group is a nation-state level attacker.”
Project Sauron was built to evade detection by using different file sizes, names, and modules for each target, which makes it hard for researchers to identify it.
“The attackers clearly understand that we as researchers are always looking for patterns. Remove the patterns and the operation will be harder to discover,” Kaspersky Lab writes in its report. “We are aware of more than 30 organisations attacked but we are sure that this is just a tiny tip of the iceberg”
That could have serious implications for Strider, whomever it may turn out to be. North Korea faced enormous backlash after it was accused of hacking Sony in 2014 and, potentially, continuing to target other groups in the years since then.
If Strider does turn out to be American, it wouldn’t be the first time the U.S. has deployed a hack on this scale. The infamous Stuxnet virus, said to have been created by the US and Israel, caused serious physical damage to Iran’s nuclear facilities (it overloaded some sensitive centrifuges and stuff blew up). It could only be a matter of time before Iran finally retaliates.
These incidents, along with many others, raise an important question about where hacking falls on the scale between “crime” and “declaration of war.” Until that’s decided, every hack is a gamble.
Of course, that’s only true if Project Sauron’s creation can be attributed to any one nation-state in particular, and that probably isn’t going to happen anytime soon. Though there’s probably plenty of finger-pointing going on behind closed doors, there isn’t enough public information to unmask Strider yet. But Project Sauron is written in English, it’s sophisticated enough to evade researchers for five years, and it targeted people in important positions.
“Attribution is hard and reliable attribution is rarely possible in cyberspace. Even with confidence in various indicators and apparent attacker mistakes, there is a greater likelihood that these are smoke and mirrors created by an attacker with a greater vantage point and vast resources,” Kaspersky Lab writes in a blog post. “When dealing with the most advanced threat actors, as is the case with [Project Sauron], attribution becomes an unsolvable problem.”
For now, Strider shall remain in the shadows.