 Cool. So I'm super happy to be here. I endorse everyone who previously were on stage seeing how great it is to see people face-to-face. So before we start full disclosure, I've never seen a real air gap network in my life, but in my mind it looks really just like in this picture. So a small castle, isolated, cut off from the internet and used to protect the most sensitive stuff. Top-secret documents, power grids, maybe nuclear centrifuges. And whenever we analyze a malware that is designed to attack such network, I'm not gonna lie, there's a little bit of adrenaline rush, because we know we're looking at a tool that the threat actor designed to attack something of great value and something that probably went unnoticed for too long. So, yeah, so I'm Alexi with Facundo. We'll be talking about how threat actors have been attacking air gap networks with malware specifically built to operate in these very restricted environments. And you'd think such malware would be pretty rare, right, which is kind of true, but in 2020 alone four previously unknown frameworks were uncovered and that's what prompted us to revisit that specific class of malware and put all the known frameworks in perspective and see how they work and if we could come up with effective methods to detect and to prevent these frameworks from succeeding. And we actually published a very thorough white paper on our corporate blog, willivesecurity.com, just a few months ago, so all the details are there and today we're gonna present to you some of the highlights of that research. And so to do that study, we had to come up with a definition of what constitutes a malware built to target air gap networks, because there are no real definitions out there, at least not from the technical point of view. And so after a couple of weeks of back and forth, Facundo and I agreed on that specific definition. So we define it as a malware or a set of malware components acting together, so a framework, that implements an offline covert communication mechanism between an air gap system and the attacker. And we believe it all started a little over 15 years ago with the infamous group called SEDNIT, also known as APT-28, who we believe developed and used USB Stealer as early as in 2005. And after that followed no less than 16 other frameworks developed by other threat actors, so for a grand total of 17. A few of those 17 have been attributed with pretty high confidence to known threat actors, such as Dark Hotel or Mustang Panda. But for the others, the attribution has been less clear-cut or even pretty controversial. But regardless, we can state that all of them are the product of nation-state actors, hence the title of our research, 15 years of nation-state efforts. And in our analysis, we studied all the existing reports, the public reports, on those known frameworks and compared them on several properties with a focus on the ones that are specifically relevant for an air-gapped network environment, such as how does the malware get executed on the air-gap side and how does the malware establish a communication channel between the isolated systems and the attacker, which is how does the malware jump the air-gap, per se. And for this, we formalized the anatomy of air-gap networks, but from the malware operation perspective. And we came up with two distinct categories. We've got connected and offline frameworks. So let me show you how that works. So most of the frameworks belong to that first category, connected ones. And those are built to provide fully remote end-to-end connectivity over the internet, between the attacker and the isolated systems. And so we'll consider a target network as having two sides separated with an air-gap. So at the top, you've got the connected side. So those are computer systems that have internet connectivity. And at the bottom, you've got the air-gap side, where all the systems cannot be reached from the internet. That's where the attacker really wants to get to. And that's a fairly typical setup, at least so I've heard, because people working in these kind of environments, they still need a connected system to get their emails, browse the net and that kind of stuff. And that connected system will naturally be the point of entry for the attacker to get inside that network. So now techniques used to gain access on that initial connected system don't really differ from traditional attacks. It can be email based, watering all attacks. That's not really the interesting part. What's interesting is the type of payload that will be deployed on that system. And one thing that that payload will do that is specific to air-gap environment is it will wait for a USB drive to be plugged in the system, and it will weaponize it, just like a USB worm actually. And that will mean two things. First, it will copy the malware meant to be executed on the air-gap side. And there will also be some sort of execution vector that will trigger the execution of the malware. It could be an exploit, decode documents or something else. And faculty will get into more details about that specific part in just a few moments. And so then when the drive, the weaponized drive gets inserted in the air-gap system, that's when the execution vector will be triggered and the malware will be deployed. And that malware will usually do some automated stuff, like doing some reconnaissance, collecting information about the environment, the host environment, the network environment. It will collect files that the attacker wants a copy of. And it will store all that data on the USB drive in a very covert way. And that's where the data exfiltration from the air-gap system happens. And again, if I could give you some pretty cool details about how that data gets copied on the drive and the various techniques so that this doesn't get detected at all. But now the data leaving the air-gap system onto the USB drive is one part, but the data still needs to reach the attacker, right? And for that, the drive needs to reach again the first infected system, the connected system. And the malware running there on top of weaponizing USB drives will also have code to recognize a drive that will contain that exfiltrated data. It will parse it and exfiltrate the stolen data back to the Internet. And all these steps usually happen automatically in most of the 17 frameworks we analyzed. But other frameworks will have one layer of additional functionality, and they will implement a totally independent protocol to allow the attacker to interactively exchange commands and responses with the air-gap systems. And so in these cases, we'll see two different protocols. You'll have one protocol that goes over the Internet between the attacker and the connected system, and there will be a totally different protocol that goes over the USB drive to communicate between the connected system and the air-gap ones. And you could see the connected system as acting as a proxy between the attacker and the real systems of value here. In other rare cases, the attack scenario is actually doesn't involve any connected system at all. We call these offline frameworks, but I think of them as mission impossible frameworks, because in these cases, everything indicates the presence of an operator on the ground that will perform those critical actions, such as weaponizing the USB drive or even physically carrying the drive and plugging in the target systems and leave with the stolen data. And now I'll pass the mic to Facundo who'll give you some pretty cool details on the various TTPs that we observed. Thank you. So as Alexi said, we focus on the malware properties that are specific to attacking the air-gap networks. We have divided them in three broad categories. All the techniques used to execute the malicious code for the purpose of gaining a foothold in the network or conduct a reconnaissance of potential air-gap systems. These categories are automated execution, non-automated execution, unknowingly triggered, non-automated execution, deliberately performed. So let's begin with automated execution. Exploiting the remote execution vulnerabilities is the most effective technique to execute the malware. 11 such vulnerabilities have been discovered and patched in the last decade and only two have been confirmed to have used in the wild. The most famous one is, without a doubt, the Stuxnet LNK exploit, which only requires the user to view a set of LNK files through the Windows Explorer to trigger the vulnerability. However, it was later discovered by Kaspersky researchers that a question group, Fanny Malware, had used the exploit even before Stuxnet since at least 2008. And even after Microsoft released a patch in 2010, flame, mini-flame, Gauss Malware continued to exploit it. But since the discovery of these malware, no other exploit-based automated execution has ever been observed in the wild to compromise air-gap networks. For the next category, we will take a step back from the complexity of exploiting software vulnerabilities and focus instead on the human factor and deception tricks. In this scenario, the aim is to trick an unsuspecting user into executing the malicious code. We have observed three main techniques, the abuse of Windows Outer On and Out of the Blame Future, decoy files to lure the potential victims, and the existing files with malicious code. For example, Darkhotel's Retro Malware uses a tool that allows it to replace Word documents with RTF copies that contain an exploit that will launch the distortion on the machine. Now, at least five of the 17 frameworks have abused Outer On or Out of Play in one way or another. USB Stealer and Agent BTC as well as an earlier version of Stuxnet. That implemented an Outer On file that contained both the executable and the Outer On instructions. It disabled the Out of Play to force the user to go to the My Computer or use it or use the entry in the navigation of the Windows Explorer. And with the Shell DLL command, it added an additional open command that disabled the Out of Play to force the user to, oh, sorry, set an additional open command to the context menu that executed Stuxnet if the potential victim clicks on it or double clicks on the drive shortcut. Now, Mustang Panda Custom Plug X Malware uses a much simple trick. It has all the existing folders and drive and creates an L and K files for each one pointing to the malicious executable on the recycle.bin folder. These techniques preserve the appearance of the clean drive. Just one second, please. Perhaps the techniques under this last category are the most puzzling. The analysis indicates that the attackers did not intend to trick an unsuspecting user into executing the malicious code. It appears that the concept for the mission was to have a human asset covertly execute the malicious components in the target network. Now, how do you think from a malware researcher perspective we cannot identify such a scenario? Let's take the interesting case of USB corporate by the APT Group Cycle Deck, also known as Goblin Panda. In this case, the code running on the connected side responsible for weaponizing the designated USB drives copies the malware meant for the air gap system in a hidden folder on the drive without any execution vector. So the analysis indicated that the only possible way for the malware to execute is if someone knows exactly what to look for the malware and launch it manually. Now, in 2015, we discovered a malware on a mission. Nice. We call it USB diff. At the time, we could not attribute this sophisticated malware to any known groups. It wasn't until two years later when the ball seven leaks occurred that we began to think that the malware was part of the Lambert's APT. Now, new funding helped us to narrow down the candidates to an implant codenamed Margarita. The description of the system fits perfectly. The scenario and the capabilities implemented by USB diff, the human asset, let's call him Tom, to continue the mission impossible team, will weaponize a USB drive and create the circumstance on the target machine in which he will have to see certain files on the Tom drive. He will launch notepad, plus plus, or fire force, or the truth creeps, and the software will launch in turn silently load the malware, and in the background, it prepares all the collected data for exfiltration. Now, finally, on that note, getting the malware to be executed on the target is one part of the mission. The collected information needs a way to leave the air gap system and safely reach the attackers. We will now present what we consider some of the coolest ways the attackers have managed to achieve this goal. So, going back to 2008, funding is about too high, even for some of the most sophisticated malware that were discovered later, but possibly developed around the same time and by groups with the same technical proficiency. Funding is what our colleagues from Kaspersky dubbed the USB backdoor. One of the funny, most interesting features is that it has the capability to create a hidden storage space in the USB drives that use the FAT file system. They achieve this by creating a directory entry with a combination of attributes that make it invalid for the Windows parser. So, when a Windows finds such a case, the entry is ignored, essentially making the space invisible. This entry contains an offset used by Fani to locate an allocated space of almost one megabyte in size, which contains the collected information as well as both commands and the result of executing those commands on the target machines or the modules that the attacker would want to execute on the system to further amend their capabilities on the compromise system. It's also worth noting that Flame used a similar trick by creating an entry with an invalid name that Windows will also ignore. This invalid name was for a special file. Now, Ramsey is a malware that we discovered in 2020 and attributed to Dark Hotel IPT. The attackers came up with a decentralized way to spread the collected information about the system drives as well as the network and other removal drives. When Ramsey is injected into a process, it will hook the close handle API and when the hook is executed, it checks the extension of the file that was opened by the process. If it is a Word document, it will append a special container that encapsulates the collected compressed information. The same containers is also appended to every Word document found in any available drives. Ramsey follows the same philosophy to receive commands. It will look for other type of files which might potentially have an appended container with instruction to execute certain modules or commands at a specific target machine based on a GUID that is in the container. All right. Now, how to defend against those types of attacks? If you can remember just one thing from our talk is that it's always, always, always about USB drives. There has been no publicly reported cases of any other physical layer used to communicate across air gaps, no electromagnetic signals, no acoustic signals, nothing esoteric like that. It's always via USB drives. So how to make it harder for attackers? Well, of course, disable USB ports on any systems where it's not absolutely necessary. That's going to greatly reduce the attack surface. But for the remaining systems where USB drives have to stay enabled, there's a way to implement policies in Windows to prevent file execution when they come from removable drives. So that's one thing. And there are also more complex scenarios where you could deploy some sort of middle box where operators, legitimate users of these networks would connect USB drives back whenever they would cross the air gap in any direction. And that machine would, for example, remove unwanted file types such as LNK and auto run files. And it could perform anti malware scan as well. Of course, we don't really expect an attacker underground to follow that policy. But you can still put on some controls. Someone shared with me a technique that apparently is deployed in different organizations where that middle box would also perform, take a forensic image of the drive and combine with some proper logging on the other systems. It would allow a sysadmin, for example, to spot some USB drive that would have been inserted in a system without having been sanitized first and they could investigate further. So there are ways to at least detect some anomalies. Now, keeping air gap systems updated is also something that could be interesting. Here we see the use of zero-day exploits against air gap systems by different frameworks. So Stuxnet used an impressive five zero-days, Fenny and Brutal Kangaroo, two each. Easy cheese, we're not sure if it was a zero-day. But in fact, one days were actually more popular. That means that air gap networks got breached by exploitation of vulnerabilities for which patches were available. The thing is that if apparently some sysadmin thinks that keeping an air gap, a network air gap will protect against attacks. But if the systems are unpatched, you've got some sort of like egg model where you've got a very strong outer shell, which is the air gap itself. But as soon as it breaks, well, you end up with a big mess. So it's really not ideal. Challenges. So just a few words on the challenges of analyzing that type of malware specifically. Not only because the malware is very, are usually pretty sophisticated and technically advanced, but it's also challenging because samples are hard to come by. Air gap systems don't always run endpoint production. And even if they do, they probably don't have telemetry enabled where incidents of suspicious files would be reported to the vendor, and that creates a huge blind spot for security vendors like us. And at the same time, these attacks happen kind of by definition in very sensitive networks. So victims are very, very unlikely to share samples with external researchers and even less likely to produce a public report of the incident and describe what happened. An example of that is Ramsey. As Facundo mentioned, that's a malware we discovered in 2020. And the research started by spotting a trojanized seven-zip installer on VirusTotal. And we eventually, so we analyzed the file and we determined that it was a component meant to run on the air gap side of a network. And we started looking for the other component. So the one that would be running on a connected side, one that would parse the USB drives and look for that Ramsey container that Facundo mentioned before. And as you can see, that's an actual screenshot of our internal wiki. For two years, that element has not been fulfilled. We never found that corresponding sample that would parse the actual container. So who knows, maybe we'll find that sample one day and we'll really understand how the attackers used Ramsey in their attacks. But until now, well, we're not sure how everything really worked. So that's it for us. Thank you for our attention. And if you ever come across a malware that you believe might be built to target air gap networks, feel free to reach out. We assure you that we'll handle the samples with the utmost confidentiality. We'll honor any TLP designation you want to assign. And thank you very much.