GoldenJackal, an Advanced Persistent Threat (APT) group, has been making waves in the cybersecurity world for its successful breaches of air-gapped systems, typically a feat achieved only by nation-state actors. The group has specifically targeted government and diplomatic entities in Europe, the Middle East, and South Asia since 2019, catching the attention of security researchers.
Security researchers have delved into the tactics, techniques, and procedures (TTPs) employed by GoldenJackal during their operations, shedding light on the group’s sophisticated methods.
One notable aspect of GoldenJackal’s operations is their ability to compromise air-gapped networks, which are isolated from the internet to prevent cyberattacks. Breaking into air-gapped networks is a challenging task even for seasoned cybercriminals, making GoldenJackal’s success in this area quite impressive.
According to researchers from ESET, GoldenJackal has developed and effectively deployed two distinct toolsets to breach these air-gapped systems. The first toolset, used in an attack against a South Asian embassy in Belarus, comprises three main components: GoldenDealer, GoldenHowl, and GoldenRobo.
GoldenDealer is a malicious component designed to deliver executables to air-gapped systems via USB drives. It monitors the insertion of removable drives on both air-gapped and connected PCs, as well as internet connectivity, utilizing configuration files to store essential information.
GoldenHowl, on the other hand, is a modular backdoor from GoldenJackal’s 2019 toolset, featuring various functionalities distributed as a self-extracting archive. Lastly, GoldenRobo is a component written in Go that systematically attempts to access drives across all letters from A to Z.
In subsequent attacks against a European Union governmental organization, GoldenJackal employed a second highly modular toolset, enabling attackers to gather and process information, distribute files and configurations, and exfiltrate files from compromised systems.
The researchers highlight the unprecedented nature of GoldenJackal’s ability to create and deploy two specific compromise toolsets for air-gapped systems within just five years, showcasing the group’s resourcefulness and intricate attack processes.
While GoldenJackal’s toolsets are indeed sophisticated, they are not infallible. Researchers emphasize that defenders can enhance their readiness against future attacks by studying the group’s tactics. In an effort to assist defenders, the researchers have shared a public list of Indicators of Compromise (IOCs) on GitHub.
Overall, GoldenJackal’s exploits in breaching air-gapped systems demonstrate the evolving landscape of cybersecurity threats and the importance of staying vigilant against sophisticated adversaries. Defenders must continue to adapt and improve their defenses to safeguard critical systems and information from such persistent threats.