GoldenJackal attacks prove that air-gapped security still isn’t enough

The process of air-gapping highly sensitive computer systems is as old as highly sensitive computer systems. This idea of a physical separation between networks contains the most confidential data, and those connected to corporate or internet networks, is well tested and trusted.

But nothing is ever 100% secure from determined attackers. This has been evidenced by a startling new report from ESET that details how GoldenJackal attacks have successfully compromise at least three totally air-gapped systems from three different European government organisations on three different occasions. It’s not just good things that come in threes, it would seem.

The ESET report, Mind the (air) gap, oh how we laughed, reveals that initially it was thought the attacks took place over a period between May 2022 and March 2024, but further analysis found another dating back to 2019.

GoldenJackal background

“Victimized systems are abused to collect interesting information, process the information, exfiltrate files, and distribute files, configurations and commands to other systems,” said Matías Porolli, a Malware Researcher at ESET and author of the report.

Researchers found that the GoldenJackal advanced persistent threat (APT) group targeted government and diplomatic entities in Europe, the Middle East and South Asia, but little was known about them and their methods until very recently.

Kaspersky researchers were the first to analyse the group in May 2023, but it has managed to stay under the radar pretty well. Which is why the ESET deep dive is so important, in threat intelligence terms at least.

“We can’t attribute GoldenJackal’s activities to any specific nation-state,” Porolli confirmed,  but a clue that points in one rather too common direction is that the GoglenHowl malware control protocol is referred to in such a way as to suggest the developers are, wait for it, Russian speaking.

Breaking through the air-gap

So, how do these groups manage to pull off a hacking magic trick worthy of (insert magician of note applicable to your age here) in the first place? The fact that systems are literally not connected to anything would seem to make that impossible, right? Wrong.

“Compromising an air-gapped network is much more resource-intensive than breaching an internet-connected system,” Porolli said, “which means that frameworks designed to attack air-gapped networks have so far been exclusively developed by APT groups.“

The goal of such frameworks is always espionage, but sometimes a bit of sabotage is thrown in for good measure.

GoldenJackal has managed to build and deploy two completely separate such toolsets, which suggests the group has plenty of resources to draw upon.

“The attacks against a South Asian embassy in Belarus made use of custom tools that we have only seen in that specific instance,” Porolli confirmed, which means those resources need to allow for the disposable nature of these complicated hacking tools.

How GoldenJackal attacks work

The GoldenJackal attacks methodology, greatly simplified of course, appears to be split across three stages:

1. GoldenDealer delivers executables to the air-gapped system via USB monitoring to gain initial access.
2. GoldenHowl is a modular backdoor with various functionalities once that initial access has been gained.
3. GoldenRobo is a file collector and exfiltrator to complete the attack.

Those of you with long memories may recall the Stuxnet attack against Iran’s Natanz nuclear facility, which also managed to breach the air-gap protection by using an infected USB drive.

This delivered a worm that effectively reprogrammed centrifuges essential to the operation of the nuclear facility which, in turn, overheated and destroyed things from the inside.

GoldenJackal is likely to have used similar methods to deliver the malware to the air-gapped target – an infected USB drive – but how that was delivered remains an unknown and likely will stay that way. As with Stuxnet.

The lessons that should have been learned from Stuxnet have not, however, according to Graeme Stewart, head of public sector at Check Point Software.

“This attack and Stuxnet highlight that the biggest weakness in cyber is the people element,” said Stewart. “The lesson here is that the mantra People Process Technology remains one that organisations need to be fixated on.”

As GoldenJackal and Stuxnet both prove, the impossible to breach theory and the resource-driven practicality of highly motivated threat groups, have an even bigger gap between them – that of reality.

Related articles

• Election cyberattacks: separating fact from fiction will be harder than ever during 2024’s elections
• Ransomware August 2024 round-up: fools, rules and tools
• I don’t care who hacked the Ministry of Defence, I do care how they did it