For applications that require the highest possible security, air-gapped systems divorced from the internet entirely are usually the answer. These computers guard everything from state secrets to industrial and electrical grid controls. But they’re also only as safe as the devices that are physically connected to them, as a newly documented series of malware attacks reveals.
A likely state-sponsored hacking group called GoldenJackal has compromised at least two air-gapped systems owned by government entities, according to a new report from ESET . The group’s first known activity was in 2019, as it breached the Belarus embassy of a unspecified South Asian country. The hackers then surface again in 2022, with a similar malware attack on an unnamed European government entity that lasted until 2024.
Hackers pull off malware attack via connected USB drives
The basic setup of the malware attack is simple, but clever: compromise a USB drive known to be regularly connected to air-gapped systems, and let it harvest files for you. When it is returned to an internet-connected device, the stolen files are forwarded along their way.
The malware that GoldenJackal used appears to have planted a malicious executable on these drives made up to look like a common folder. After physically connecting to the air-gapped systems, the target would click on this tainted executable thinking that they were opening the folder. This installed the malware on the target system, which on first pass would simply map it out and gather system information. The victim would have to return to the air-gapped systems with the drive at least a second time for it to begin harvesting files from them, but all subsequent exposures would have the malware running automatically in the background upon connection with no further input from them.
Air-gapped systems targeted by state-backed attackers
There is still debate and uncertainty as to who GoldenJackal works for. One possibility that can be eliminated is that it is some sort of profit-seeking private criminal actor. ESET notes that there is no known history of air-gapped systems being targeted by anyone other than nation-state advanced threat groups, due to the resources and intelligence required to pull something like this off.
As to who it is, the lead candidate would appear to be Russia. ESET notes that at least one of the malware attacks shares a command-and-control protocol with one used by the FSB-connected “Turla” group. Some older research suggests the group may be a North Korean unit, but without clear evidence in support. ESET does not have any information on how the targets were initially compromised via the internet, but older documentation from Kaspersky indicates the group has previously phished with tainted Word documents and Skype installers.
What is known is that the group focuses on stealth and persistence, with the European incident lasting for nearly two years (May 2022 to March 2024). They are apparently skilled at evading detection, and have a specific focus on government and diplomatic targets. It also appears to focus on targets in Europe, the Middle East, and South Asia.