GoldenJackal APT Targets Air-Gapped Systems in Espionage Campaign

Researchers at ESET have uncovered a series of cyberattacks on air-gapped systems within government organizations, conducted by the APT group GoldenJackal. This espionage campaign spanned from May 2022 to March 2024, employing specialized tools to infiltrate systems that are not connected to the internet.

GoldenJackal has been active since at least 2019. Among its early targets was a South Asian embassy in Belarus, where the group first deployed its unique tools designed to compromise isolated systems. This campaign marked one of the earliest recorded instances of such attacks, with the tools themselves being publicly documented for the first time.

The primary components of the tools used include:

• GoldenDealer — a program for transmitting malicious files via USB drives;
• GoldenHowl — a modular backdoor with data collection and exfiltration capabilities;
• GoldenRobo — a tool for gathering and transmitting files from compromised systems.

In later attacks on government organizations within the European Union, GoldenJackal refined its tools, making them modular. This allowed for more efficient data collection, transmission, and configuration management on infected systems.

Researchers noted that some infected systems were used for file transmission, while others acted as local servers for receiving and distributing information. The attacks primarily targeted systems containing sensitive information, particularly those lacking internet access.

One possible attack scenario by GoldenJackal involves infecting a USB drive on an external machine, which is then unknowingly connected to an air-gapped system by an unsuspecting employee. The malware installed on the device collects data, which is then returned to the hackers when the drive is reconnected to an internet-accessible system.

GoldenJackal focuses its attacks on government and diplomatic entities in Europe, South Asia, and the Middle East. The group’s operations aim to steal confidential information, primarily from highly secured machines.

While ESET has linked the tools to GoldenJackal, the origin of the group remains unclear. The use of USB devices to infiltrate air-gapped systems underscores the danger of such attacks, capable of bypassing even the strictest security measures.

This case of air-gapped system attacks illustrates that even the most secure networks are vulnerable to sophisticated intrusion methods. The reliance on physical hardware, such as USB devices, and the subtlety of the attackers’ approach highlight the importance of heightened cybersecurity measures and personnel awareness, as even the slightest oversight can result in a massive data breach.