Brutal Kangaroo: Another Attack for Air-Gapped Systems
Wikileaks has been known for publishing mass batches of documents exposing data and information. The recent leaks were from Vault 7. Included in the leak were documentation, dated May 11, 2105 and February 23, 2016, for a tool that was created and used by the CIA. This tool was coded and engineered to be used to compromise air-gapped systems using MS Windows. Air gapped systems are not a new phenomena used in the industry. This has been used for decades, predominantly with the ICS/SCADA systems. The air-gapping is the act of removing the connectivity of the system from the internet and other systems. This is intended to be used in an environment where security is significantly pertinent for the situation.
Attack Method
As noted, systems such as SCADA are air-gapped. The air-gap process, separated from the internet, the network, and other systems, seemingly are secure. In theory, as these are not connected to or communicate with any other system, the opportunity for compromise should be at a significantly minimal level.
This has not been the case. There have been various attacks on other air gapped systems. Two of these proof of concept attacks designed to exfiltrate data have involved the system’s fan and LED lights. Although, in theory, these have been acceptable in application and successful, the data exfiltration had been not at a significant rate. There also had been operational difficulties in implementing these attacks. This has been somewhat solved with the current attack.
With the Brutal Kangaroo, to compromise the systems, the attack method utilized the simple thumb drive. This also would be used to spread the malware to other systems and as a vector to remove data from the systems.
The malware was partitioned into four distinct applications. The first was Shattered Assurance. This initial attack tool was server side code, which infected the USBG drives with the Drifting Deadline malware.
The infected drive is then plugged into the target’s USB, infecting the system with Drifting Deadline (formerly known as Emotional Simian). There are however parameters with this attack. The system must have autorun enabled and installed with the MS Windows 7 and using .net 4.5. If these are in place, the Drifting Deadline pushes the Shadow malware onto the system.
The Shadow portion of the malware makes this a bit different. This is coded to define the tasks to be done by the malware. As the system is offline, this Shadow works without input from outside of the target. This portion was coded much earlier than the remainder of the malware. The user manual for this was dated August 31, 2012. Curiously the code for this may be configured for various targets. One of the malware’s options is to save up to 10% of the system’s data. If this is selected, once the data is collected, it is watermarked and encrypted in a separate partition.
The data, once encrypted, may be exfiltrated via two primary methods. The data may be placed on a thumb drive by the user or if there happens to be an internet connection available at any time, this is utilized. Once the system is infected, the malware reviews the network for other connections to infect, if available.
Nuance
The attack itself is a vaguely familiar fashion. The primary form of the attack, the USB, is not new and has been used by attackers for years. There is a slightly new application with this. There is a level of co-operability built in with the malware. On the network if there were to be multiple compromised systems with the Brutal Kangaroo malware, these systems could work together if these happen to be connected. These various compromised systems would work together with the tasks to be done and exchanging data.
Closing
Early on in this field and industry, the air gapping was considered a safe and secure configuration. This was utilized especially in the ICS and SCADA industry. At one point attacks designed to exfiltrate data were created and implemented. This attack is another version of the attack with a slight update.
Resources
Burton, G. (2017, June 22). Wikileaks dump outs CIA’s ‘brutal kangaroo’ toolkit for hacking air-gapped networks. Retrieved from https://www.theinquirer.net/inquire/news/2012499/-wikileaks-cia-uses-brutal-kangaroo-toolkit-to-hack-air-gapped-networks
Glaser, A. (2017, March 7). Weeping angel, brutal kangaroo and other secret CIA code names from the wikileaks surveillance leak. Retrieved from https://www.recode.net/2017/03/7/14846926/cia-code-names-surveillance-wikileaks
Goodin, D. (2017, June 22). How the CIA infects air-gapped networks. Retrieved from https://arstechnica.com/security/2017/06/leaked-documents-reveal-secret-cia-operation-for-infecting-air-gapped-pcs/
Khandelwal, S. (2017, June 22). Brutal kangaroo: CIA-developed malware for hacking air-gapped networks covertly. Retrieved from http://thehackernews.com/2017/06/wikileaks-Brutal-Kangaroo-airgap-malware.html
Paganini, P. (2017, June 22). Brutal kangaroo is the CIA tool suite for hacking air-gapped networks. Retrieved from http://securityaffairs.co/wordpress/60322/hacking/brutal-kangaroo-cia.html
Thomson, I. (2017, June 22). WikiLeaks doc dump reveals CIA tools for infecting air-gapped PCs. Retrieved from https://www.theregister.co.uk/2017/06/22/wikileaks_cia_brutal_kangaroo/
Wikileaks. (n.d.). Vault 7: CIA hacking tool revealed. Retrieved from https://wikileaks.org/ciav7p1/cms/page_13763236.html