European government systems hit by air-gap malware attack

A digital representation of a lock
(Image credit: Altalex)

Hackers have managed to steal sensitive information from air-gapped systems belonging to different European governments on at least three separate occasions, experts have warned.

A new report from ESET. explained how the threat actor, called GoldenJackal, is a sophisticated cyber-espionage group known for targeting governments in South Asia and Europe over the last five years.

Air-gapped systems seem to be their inner specialty, targeting them with USB drives. GoldenJackal's affiliation remains unclear, but it is suspected to be a state-sponsored group, potentially from Eastern Europe or Asia. An air-gapped system is a computer or network that is physically isolated from unsecured networks, such as the internet, to prevent unauthorized access and enhance security. Still, crooks managed to steal data from these endpoints by means of self-propagating malware.

GoldenJackal

As per BleepingComputer, GoldenJackal was so far observed targeting an embassy of a South Asian country in Belarus on two occasions - once in September 2019, and once in July 2021. It was also seen going after a European government organization between May 2022 and March 2024.

The attack starts with a USB drive infected with a piece of malware. It is notable that the group built multiple variants for different victims which, for ESET’s experts, is a testament to the group’s resourcefulness. In some instances, it used malware called GoldenDealer, and in others - GoldenAce.

This malware is tasked with copying itself, together with other malware, onto air-gapped devices, as soon as the USB drive is plugged in. Other malware includes a backdoor called GoldenHowl, and an infostealer called GoldenRobo (or GoldenUsbCopy and GoldenUsbGo, respectively). The latter’s task is to copy documents, images, encryption keys, OpenVPN configuration files, and other important data, into a hidden directory on the USB drive.

Then, when the USB drive is reconnected to an internet-enabled device, the malware sends everything it stole to the C2 server.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

TOPICS