An as-yet-unidentified group, known only as GoldenJackal with suspected links to the Russian state, is targeting high-security networks that are intentionally isolated from the internet. Confidential data is frequently stored in “air-gapped” computers that do not have an online connection and were, until now, virtually impossible to hack.
But cybersecurity firm ESET now reports that GoldenJackal was deploying “a highly modular toolset” against a government organization in a European Union (EU) country between May 2022 and March 2024. This follows similar ongoing attacks on air-gapped systems in Belarus that began in August 2019.
“These toolsets provide GoldenJackal with a wide set of capabilities for compromising and persisting in targeted networks. Victimized systems are given different roles in the local network, from collecting interesting – likely confidential – information, to processing the information, distributing files, configurations, and commands to other systems, or exfiltrating files,” says ESET.
Organizations air gap systems running power grids
According to ESET: “Usually, organizations will air gap their most valuable systems, such as voting systems and industrial control systems running power grids. These are often precisely the networks that are of interest to attackers. Compromising an air-gapped network is much more resource-intensive than breaching an internet-connected system…The purpose of such attacks is always espionage.”
GoldenJackal has developed a way of penetrating air-gapped systems via their one interface with other IT systems – USB sticks. The Belarus attacks used three main components: GoldenDealer to deliver executables to the air-gapped system via USB monitoring; GoldenHowl, a modular backdoor with various functionalities; and GoldenRobo, a file collector and exfiltrator.
A USB stick can become “a malicious executable”
“When a victim inserts a compromised USB drive in an air-gapped system and clicks on a component that has the icon of a folder but is actually a malicious executable, then GoldenDealer is installed and run, starting to collect information about the air-gapped system, and storing it on the USB drive,” explains ESET.
As yet, no one is certain who is behind GoldenJackal, but cybersecurity experts agree that the group’s modus operandi firmly points to a potentially hostile nation-state sponsor, such as Russia. Cybersecurity firm Kaspersky also reported that tactical overlaps have been observed between the threat actor and Turla, one of Russia’s elite nation-state hacking crews. In one instance, a victim’s machine was infected both by Turla and GoldenJackal only two months apart.
