Kaspersky Lab has uncovered yet another highly advanced malware that appears to be targeting industrial systems. Researchers estimate that it has managed to remain hidden for at least five years; and has been using techniques learned from state-sponsored attacks like Duqu and Flame.
Currently called ProjectSauron, the malware searches for custom network encryption software. This software is generally used by organisations to secure communications within itself, and may be of some value to the threat actor behind the malware. Interestingly, ProjectSauron is advanced enough to have been found in air-gapped systems.
Modules from the malware have been discovered to collect as much information as possible from victims. These include a keylogger, theft of documents, and the ability to steal encryption keys.
Around 30 victims of ProjectSauron that have been identified thus far. These are mainly from Russia, Iran, and Rwanda; although Kaspersky suspects there may be more found in several Italian speaking countries. The victims were organisations providing critical services to governments, the military, scientific research, telcos, and financial organisations.
Kaspersky has not identified who is behind ProjectSauron, although it clearly says that a project of this scale can only exist with the assistance of a nation state. No fingers are being pointed as of yet and it is unlikely that anyone will be stepping forward to own up to this particular espionage campaign.
2 candidates. Either america or China. America for espionage on terrorism activities or China for corporate leverage.