When firewalls, network monitoring services, and antivirus software aren’t sufficient, there’s always been one definite way to guard computers that control sensitive operations like power grids and water pumps: cut them off from the internet completely. But new reports published by WikiLeaks on June 22 suggest that also when such extreme measures are taken, no computer is safe from motivated, well-resourced hackers.
The 11 documents represent a piece of software called “Brutal Kangaroo,” a set of tools made for infiltrating isolated, “air-gapped” PCs by targeting internet-connected systems within the same organization. It’s the latest edition in the “Vault 7” series of leaked documents, which detail myriad hacking tools WikiLeaks says belong to the US Central Intelligence Agency (CIA).
Brutal Kangaroo goes by creating a digital path from an attacker to an air-gapped computer and back. The method begins when a hacker remotely infects an internet-connected computer in the company or facility being targeted. Once it has infected that first computer, what the records refer to as the “primary host,” Brutal Kangaroo waits. It can’t spread to other systems until someone plugs a USB thumb drive inside that first one.
Once somebody does, malware specific to the manufacturer and model of the thumb drive is copied onto it, covering in modified LNK files that Microsoft Windows uses to render desktop icons, and in DLL files that include executable applications. From this point, Brutal Kangaroo will spread further malware to any system that thumb drive is plugged into. And those orders will infect every drive that’s plugged into them, and so on, and the concept is that eventually one of those drives will be plugged into the air-gapped computer.
The major flaw in the concept of separating sensitive computers is that the air gap between them can only be maintained if no one ever requires copying files onto or off of them. But even for specific systems, there are always updates and applications to install, and data that has to be fed in or pulled out. It’s common knowledge among IT specialists that external hard drives are an apparent target for anyone seeking to break the air gap, and anticipations are presumably taken in facilities with diligent IT specialists. Those precautions, however, can be subverted with exploitations of obscure vulnerabilities, and sometimes mistakes simply happen.
Take your time to comment on this article.