It's hard enough creating one air-gap-jumping tool. Researchers say the group GoldenJackal did it twice in five years.
Researchers have unearthed two sophisticated tool sets that a nation-state hacking group -- possibly from Russia -- used to steal sensitive data stored on air-gapped devices, meaning those that are deliberately isolated from the internet or other networks to safeguard them from malware.
One of the custom tool collections was used starting in 2019 against a South Asian embassy in Belarus. A largely different tool set created by the same threat group infected a European Union government organization three years later. Researchers from ESET, the security firm that discovered the toolkits, said some of the components in both were identical to those fellow security firm Kaspersky described in research published last year and attributed to an unknown group, tracked as GoldenJackal, working for a nation-state. Based on the overlap, ESET has concluded that the same group is behind all the attacks observed by both firms.
The practice of air gapping is typically reserved for the most sensitive networks or devices connected to them, such as those used in systems for voting, industrial control, manufacturing, and power generation. A host of malware used in espionage hacking over the past 15 years (for instance, here and here) demonstrate that air gapping isn't a foolproof protection. It nonetheless forces threat groups to expend significant resources that are likely obtainable only by nation-states with superior technical acumen and unlimited budgets. ESET's discovery puts GoldenJackal in a highly exclusive collection of threat groups.
"With the level of sophistication required, it is quite unusual that in five years, GoldenJackal managed to build and deploy not one but two separate tool sets designed to compromise air-gapped systems," ESET researcher Matías Porolli wrote in Tuesday's report. "This speaks to the resourcefulness of the group."
The evolution of the kit from 2019 and the one from three years later underscores a growing sophistication by GoldenJackal developers. The first generation provided a full suite of capabilities, including:
Within a few weeks of deploying the kit in 2019, ESET said, GoldenJackal started using other tools on the same compromised devices. The newer tools, which Kaspersky documented in its 2023 research, included: