It eluded detection for at least five years.
Both Kaspersky and Symantec have unearthed a new type of malware so advanced, they believe it could have links to a country’s intelligence agency. They’re calling it “Remsec,” “Strider” (Aragorn’s nickname in LOTR) and “ProjectSauron,” because it has several references to the Necromancer in Tolkien’s series. According to Symantec, it has been used for what could be state-sponsored attacks to infiltrate 36 computers across at least seven organizations around the world since 2011. Its targets include several individuals in Russia, a Chinese airline, an unnamed organization in Sweden and an embassy in Belgium. Kaspersky says you can add various scientific research centers, military installations, telecommunications companies and financial institutions to that list.
ProjectSauron has been active since at least 2011, but it was only unearthed recently because it was designed not to use patterns security experts usually look for when hunting for malware. Kaspersky only discovered its existence when it was asked by an unnamed government organization to investigate something weird going on with its network traffic.
The malware can move across a network — across even air gapped computers that are supposed to be more secure than typical setups — to siphon passwords, cryptographic keys, IP addresses, configuration files, among other data off computers. It then stores all those information in a USB drive that Windows recognizes as an approved device. Both security companies believe its development required the involvement of specialist teams and that it costs millions of dollars to operate.
They didn’t name a government in particular, but they noted that the malware took cues from older tools used for state-sponsored attacks, including Flamer that’s been linked to Stuxnet in the past. As you might know, the Stuxnet worm, widely believed to be the joint creation of the US and Israel, infected Iran’s nuclear program computers in the mid-2000s.