Air-Gapped Systems are Becoming a Treasure Trove for Attackers

For years, air-gapping has been recommend as a standard cybersecurity practice to protect sensitive systems and networks. Often, organizations isolate their critical systems by disconnecting them from the public internet or other networks to protect sensitive data and backups from cybercriminals. However, this technique is not proving to be a magic bullet as it once was.

Why the rising concern?

Last month, three reports showed an increased interest of hacking groups toward developing malware capable of infiltrating air-gapped networks. Let’s find out!

  • The Chinese hacking group, Tropic Trooper, also known as KeyBoy targeted the air-gapped networks of Taiwan and the Philippines military. According to Trend Micro, a cybersecurity and defense company, the attacks embraced the use of USBferry, a malware strain with a feature that allows self-replication to removable USB devices.
  • Researchers at ESET, the cybersecurity firm, discovered a malware called Ramsay that is capable of jumping the air gap to collect Word, ZIP files, and PDFs in a hidden storage container. Once the malware enters an air-gapped device, it can spread to any other device it may find.
  • Security researchers at Kaspersky identified a new version of the COMpfun malware used by Turla, a state-sponsored Russian threat actor. The new malware contains a self-propagation mechanism to infect other systems on internal or air-gapped networks.
  • After three back-to-back attacks on air-gapped networks within a week in May, Kaspersky revealed a new malware called USBCulprit in the first week of June. Used by a hacking group known as Cycldek, Goblin Panda, or Conimes, the malware is designed to compromise air-gapped devices via USB to steal government information.

Isolated systems are not only meant for government bodies

  • Typically, air-gapped systems are utilized to protect sensitive data at government organizations or intelligence agencies. However, even data centers that are not owned by critical institutions may have air-gapped networks.
  • From isolated backups, good copies can be restored in case of ransomware attacks. But a backup can only be useful if kept up to date and is easily retrievable. If not updated at regular intervals, backups become attractive targets for crooks.
  • Since victims usually pay up ransom if their backups are compromised, hackers invest tremendous time and effort into designing malware that is capable of jumping air gaps.

How to defend against the attacks

Most of these cyberattacks are successful due to human errors, which include lack of patching, system hardening, usage of shadow IT, and weak passwords. In attacks such as these, taking standard precautions alone may not be enough. Organizations need to embrace robust security measures such as limiting network connectivity, web usage, and regulating endpoint activity. They must maintain all the basic cybersecurity hygiene on the air-gapped systems as well.

A security researcher has developed a left-field technique for extracting data from air-gapped systems that relies on hacking power supplies.

The Mission Impossible-style approach, dubbed ‘POWER-SUPPLaY’, relies on creating an acoustic covert channel by turning a PC’s power supplies into speakers.

The technique, developed by Israeli security researcher Dr Mordechai Guri, is capable of working on secure air-gapped PCs, even in cases where the owners have taken the extra precaution of disabling audio hardware and forbidding the use of loudspeakers.

Providing attackers can first get the POWER-SUPPLaY malware onto the hardware then servers, PCs and IoT devices might still leak data – even if cases where they are both air-gapped and audio-gapped, as Dr Guri explains in a paper.

“Our developed malware can exploit the computer power supply unit (PSU) to play sounds and use it as an out-of-band, secondary speaker with limited capabilities,” the researcher explains.

“The malicious code manipulates the internal ‘switching frequency’ of the power supply and hence controls the sound waveforms generated from its capacitors and transformers.”

Sound technique, but caveats apply

Using the POWER-SUPPLaY technique, data files (including keystrokes and encryption keys) can be modulated onto an audio signal and sent to a nearby receiver, such as a smartphone.

The researchers we able to get the approach to work against a wide range of systems, albeit with severe inherent limitations.

One major downside is that the attack is hampered by background noise that may impact the transmission’s quality.

The computer scientist was able to get the technique to work, but only over distances of less than five metres and with data speeds that maxed out at the sluggish 50 bit/sec.

Dr Guri, the head of R&D at the Ben-Gurion University of the Negev’s Cyber-Security Research Center, told The Daily Swig that despite its limitations the technique he developed was nonetheless practical.

“The acoustic method is effective in term of distance,” he explained. “It can reach several meters away. In term of speed is not the fastest covert channel, but [it] is enough for transmitting brief amount of data.”

Dr Guri has built up a body of previous research on other covert techniques to extract data from systems on air-gapped networks.

The latest technique relies on planting malicious code on a targeted network. This can be accomplished by introducing malware on systems as they are built through supply chain attacks, according to Dr Guri.

A short video clip available through YouTube offers a demo of the POWER-SUPPLaY attack in practice.