Air-Gapped Systems are Becoming a Treasure Trove for Attackers

For years, air-gapping has been recommend as a standard cybersecurity practice to protect sensitive systems and networks. Often, organizations isolate their critical systems by disconnecting them from the public internet or other networks to protect sensitive data and backups from cybercriminals. However, this technique is not proving to be a magic bullet as it once was.

Why the rising concern?

Last month, three reports showed an increased interest of hacking groups toward developing malware capable of infiltrating air-gapped networks. Let’s find out!
  • The Chinese hacking group, Tropic Trooper, also known as KeyBoy targeted the air-gapped networks of Taiwan and the Philippines military. According to Trend Micro, a cybersecurity and defense company, the attacks embraced the use of USBferry, a malware strain with a feature that allows self-replication to removable USB devices.
  • Researchers at ESET, the cybersecurity firm, discovered a malware called Ramsay that is capable of jumping the air gap to collect Word, ZIP files, and PDFs in a hidden storage container. Once the malware enters an air-gapped device, it can spread to any other device it may find.
  • Security researchers at Kaspersky identified a new version of the COMpfun malware used by Turla, a state-sponsored Russian threat actor. The new malware contains a self-propagation mechanism to infect other systems on internal or air-gapped networks.
  • After three back-to-back attacks on air-gapped networks within a week in May, Kaspersky revealed a new malware called USBCulprit in the first week of June. Used by a hacking group known as Cycldek, Goblin Panda, or Conimes, the malware is designed to compromise air-gapped devices via USB to steal government information.

Isolated systems are not only meant for government bodies

  • Typically, air-gapped systems are utilized to protect sensitive data at government organizations or intelligence agencies. However, even data centers that are not owned by critical institutions may have air-gapped networks.
  • From isolated backups, good copies can be restored in case of ransomware attacks. But a backup can only be useful if kept up to date and is easily retrievable. If not updated at regular intervals, backups become attractive targets for crooks.
  • Since victims usually pay up ransom if their backups are compromised, hackers invest tremendous time and effort into designing malware that is capable of jumping air gaps.

How to defend against the attacks

Most of these cyberattacks are successful due to human errors, which include lack of patching, system hardening, usage of shadow IT, and weak passwords. In attacks such as these, taking standard precautions alone may not be enough. Organizations need to embrace robust security measures such as limiting network connectivity, web usage, and regulating endpoint activity. They must maintain all the basic cybersecurity hygiene on the air-gapped systems as well.