It’s designed to infiltrate high-profile computer networks run by governments, military sites, and corporations.
In a joint effort, researchers from the computer security firms Symantec and Kaspersky Lab have detected an advanced malware platform that has gone undetected for at least five years.
The malware has been dubbed “ProjectSauron” since its code references Sauron, the “all-seeing” antagonist in Lord of the Rings, according to a Symantec blog post.
The cyber-espionage program has been active since 2011 or earlier, targeting networks in countries like Russia, China, and Iran. Instead of the more common malware that infects regular computers, ProjectSauron is designed to infiltrate high-profile computer networks run by governments, military science, IT corporations, and science research centers.
It spies on the infected networks by logging keystrokes, opening a backdoor to compromised systems, and stealing personal information, like usernames and passwords. The researchers say that information was also compromised via USB sticks attached to infected systems, and incredibly, ProjectSauron is even capable of attacking “air-gapped” computers that aren’t connected to the Internet.
Why did it take so long for security experts to discover ProjectSauron? In a published report, they describe how the “pattern-less” program is essentially designed to be invisible. The hackers use a unique code for each separate target, which prevents the malware from triggering the usual red flags in code that computer scientists track down.
Since the malware has a sophistication of this level, the researchers speculate that it’s likely the work of a hacking group sponsored by a government intelligence organization, with a budget probably running into millions of dollars.
“We think an operation of such complexity, aimed at stealing confidential and secret information, can only be executed with support from a nation-state,” the report states.
However, as for who specifically is behind ProjectSauron, the researchers say “attribution is rarely possible in cyberspace.”
“Even with confidence in various indicators and apparent attacker mistakes, there is a greater likelihood that these are smoke and mirrors created by an attacker with a greater vantage point and vast resources,” the wrote in the report. “When dealing with the most advanced threat actors, as is the case with ProjectSauron, attribution becomes an unsolvable problem.”
The researchers report that ProjectSauron activity seems to have significantly gone down this year, but they can’t guarantee the high-profile hacking won’t resume.
“We are aware of more than 30 organisations attacked, but we are sure that this is just a tiny tip of the iceberg,” the security experts conclude.