Attack Methods on Air-Gapped or Network-Isolated ICS Systems

published: Aug. 3, 2023

Take action: Start educating your organization on the risks of using USBs to transfer data to and from the air-gapped systems in the organization. And make sure that only a few, well controlled and well protected computers (usually linux, with full antimalware active and strict access controls) are the source of USB devices that are used to transfer data to and from the air-gapped systems. If possible disable use of USB on the other parts of the IT network.

Learn More

For decades now the golden standard of system isolation in industrial control systems (ICS) environments is the air-gapped system.

The ultimate trust in air-gap as a security control

An air-gapped system is a computer or network that is physically isolated from external networks and the internet, making it inaccessible to unauthorized or remote connections. This isolation is implemented to enhance security and prevent potential cyberattacks or data breaches that could be executed through online channels.

The seeming isolation of the ICS systems via the air-gap has put a lot of organizations in a false sense of security about their air-gapped system - Even to a point where such systems don't require a password to log in.

Air-gap is no longer enough

Now there is a cyber threat specifically designed to bypass air-gapped defenses. This threat was brought to light by researchers from Kaspersky ICS-CERT while investigating cyberattacks targeting ICS and critical infrastructure in Eastern Europe.

The attackers were found to be using a second-stage malware that manages to circumvent the typical data security measures provided by an air-gapped system.

A second-stage malware, also known as secondary or payload malware, is a type of malicious software that is deployed after an initial infection has occurred on a target system. The primary purpose of second-stage malware is to stablish a permanent presence on the target networks, enabling them to exfiltrate sensitive data.

How does malware circumvent the air-gap?

  1. Initially, the threat actors employ known vulnerabilities in internet connected systems and frequently combine them with phishing and social engineering  to gain an initial foothold within the ICS IT network. Once inside the IT network, they deploy modular malware designed to make the jump to the air-gapped ICS networks.
  2. This malware  targets removable storage drives (USBs) used by employess on their IT systems and contaminates them with a worm that is programmed to exfiltrate specific data.
  3. Since the air-gapped system receive data via removable storage, it's safe to assume that eventually some of these infected USBs will be used to transfer data to the air-gapped computers, thus traversing the air-gap.
  4. The malware responsible for exfiltrating data from air-gapped systems comprises at least three modules, each with distinct responsibilities:
    1. profiling and managing removable drives,
    2. capturing screenshots,
    3. planting second-stage malware on any newly connected drives.

As usual, the malware make deliberate efforts to obfuscate it's actions, utilizing encrypted payloads, memory injections, and DLL hijacking. These tactics demonstrate the sophistication of their approach, making detection and prevention more challenging.

It's not enough enter a system, the value is in data theft

In addition to the main malware  another two set of second-stage tools are present in the malware that facilitate the transmission of stolen data from a local computer. In essence, they await the infected USB to be returned to the IT network after it's been inserted into an air-gapped computer and has copied data.

After they detect a USB with copied data, they package the data and via instructions from a Command and Control Server (C2) they exfiltrate the data to a cloud storage like Dropbox.

It's a very patient malware.

Since all these actions depend on human actions, the malware must remain invisible, patient and dormant for a long time - days, weeks, even months. This indicates a high level of sophistication and targeting specifically for ICS systems, whether they be in manufacturing, utilities, energy or even military.

Attack Methods on Air-Gapped or Network-Isolated ICS Systems