Russian antivirus company Kaspersky Lab reports it discovered a cyber espionage group in 2015 that was able to steal confidential information from offline computers using USB sticks. The group calls itself Project Sauron and is likely state sponsored.
The group, active between June 2011 and May 2016, mainly targeted governmental organisations using tools that were unique for each victim. According to Kaspersky Labs this made detection by regular antivirus tools pretty much impossible.
Project Sauron appeared to be mainly searching for ways to gain access to encrypted communication like encryption keys, IP addresses of communication servers and configuration files. Infections by the group were found in organisations in several countries including Russia, Iran, China, Sweden and Belgium. The infections remained undetected for a long time because the group used different techniques for every infection. According to Kaspersky Lab that indicates a high level of sophistication and the company estimates it probably costed several millions of dollars to create.
The spies were even able to steal data from computers that were not connected to the internet. They were able to add a hidden partition to an USB stick inserted in a computer connected to the internet. Once the infected USB stick was inserted in an offline computer it started to infected the system. The hidden partition was then filled with data that was send to Project Sauron as soon as the USB stick was inserted in a computer connected to the internet again.
It's unknown which zero-day exploits Project Sauron abused. The used malware is only compatible with Windows and works on all modern Windows versions.
