Project Sauron Project Sauron

  • First known sample

    2011
  • Discovery

    2016
  • Number of targets

    1-100
  • Current status

    Active
  • Type

    Complex cyberattack platform
  • Targeted platforms

    Windows
  • TOP targeted countries

    Iran , Russia
  • Purpose/Functions

    Cyberespionage
  • Special features
    ProjectSauron comprises a top-of-the-top modular cyber-espionage platform in terms of technical sophistication, designed to enable long-term campaigns through stealthy survival mechanisms coupled with multiple exfiltration methods. Technical details show how attackers learned from other extremely advanced actors in order to avoid repeating their mistakes. For example, all artifacts are customized per given target, reducing their value as indicators of compromise for any other victim. Some other key features of ProjectSauron: It is a modular platform designed to enable long-term cyber-espionage campaigns. All modules and network protocols use strong encryption algorithms, such as RC6, RC5, RC4, AES, Salsa20, etc. It uses a modified Lua scripting engine to implement the core platform and its plugins. There are upwards of 50 different plugin types. The actor behind ProjectSauron has a high interest in communication encryption software widely used by targeted governmental organizations. It steals encryption keys, configuration files, and IP addresses of the key infrastructure servers related to the encryption software. It is able to exfiltrate data from air-gapped networks by using specially-prepared USB storage drives where data is stored in an area invisible to the operation system. The platform makes extensive use of the DNS protocol for data exfiltration and real-time status reporting. The APT was operational as early as June 2011 and remained active until April 2016. The initial infection vector used to penetrate victim networks remains unknown. The attackers utilize legitimate software distribution channels for lateral movement within infected networks.
  • Targets

    Academia/Research , Financial institutions , Government entities , Military , Telecoms
  • Description

    A highly advanced cyber-espionage platform active from June 2011 to April 2016. It was used to launch long-term intelligence gathering campaigns against at least 30 organizations in Russia, Iran, and Rwanda. Attacked organizations represented the government, military, telecoms, finance, and scientific research.

    Additional information