ESET Research: GoldenJackal APT group, with air-gap-capable tools, targets systems in Europe to steal confidential data

Next story
  • GoldenJackal, an advanced persistent threat (APT) group, used a custom toolset to target air-gapped systems at a South Asian embassy in Belarus since at least August 2019.
  • In another attack, GoldenJackal deployed a highly modular toolset in Europe on various occasions between May 2022 and March 2024 against a government organisation in a European Union country.
  • These toolsets provide GoldenJackal with a wide set of capabilities for compromising and persisting in targeted networks. Victimised systems are given different roles in the local network, from collecting interesting – likely confidential – information, to processing the information, distributing files, configurations, and commands to other systems, or exfiltrating files.
  • The ultimate goal of GoldenJackal is very likely to be stealing confidential information, especially from high-profile machines that are intentionally isolated from the internet.

MONTREAL, BRATISLAVA — October 7, 2024 — ESET researchers have discovered a series of attacks that took place in Europe from May 2022 to March 2024, where the attackers used a toolset capable of targeting air-gapped systems, in a governmental organisation of a European Union country. ESET attributes the campaign to GoldenJackal, a cyberespionage APT group that targets government and diplomatic entities. By analyzing the toolset deployed by the group, ESET identified an attack GoldenJackal carried out earlier, in 2019, against a South Asian embassy in Belarus that targeted the embassy’s air-gapped systems with custom tools. The ultimate goal of GoldenJackal is very likely to be stealing confidential and highly sensitive information, especially from high-profile machines that might not be connected to the internet. ESET Research presented their findings at the 2024 Virus Bulletin conference.

To minimise the risk of compromise, highly sensitive networks are often air-gapped - isolated from other networks. Usually, organisations will air gap their most valuable systems, such as voting systems and industrial control systems running power grids. These are often precisely the networks that are of interest to attackers. Compromising an air-gapped network is much more resource-intensive than breaching an internet-connected system, which means that frameworks designed to attack air-gapped networks have so far been exclusively developed by APT groups. The purpose of such attacks is always espionage.

“In May 2022, we discovered a toolset that we could not attribute to any APT group. But once the attackers used a tool similar to one of those already publicly documented, we were able to dig deeper and find a connection between the publicly documented toolset of GoldenJackal and this new one. Extrapolating from that, we managed to identify an earlier attack where the publicly documented toolset had been deployed, as well as an older toolset that also has capabilities to target air-gapped systems,” says ESET researcher Matías Porolli, who analysed GoldenJackal’s toolset.

GoldenJackal has been targeting governmental entities in Europe, the Middle East, and South Asia. ESET detected GoldenJackal tools at a South Asian embassy in Belarus in August and September 2019, and again in July 2021. More recently, according to ESET telemetry, another governmental organisation in Europe was repeatedly targeted from May 2022 until March 2024.

With the level of sophistication required, it is quite unusual that in five years, GoldenJackal managed to deploy not one, but two separate toolsets designed to compromise air-gapped systems. This speaks to the resourcefulness of the group. The attacks against a South Asian embassy in Belarus made use of custom tools that we have only seen in that specific instance so far. The campaign used three main components: GoldenDealer to deliver executables to the air-gapped system via USB monitoring; GoldenHowl, a modular backdoor with various functionalities; and GoldenRobo, a file collector and exfiltrator.

“When a victim inserts a compromised USB drive in an air-gapped system and clicks on a component that has the icon of a folder but is actually a malicious executable, then GoldenDealer is installed and run, starting to collect information about the air-gapped system, and storing it on the USB drive. When the drive is again inserted into the internet-connected PC, GoldenDealer takes the information about the air-gapped PC from the USB drive and sends it to the C&C server. The server replies with one or more executables to be run on the air-gapped PC. Finally, when the drive is again inserted into the air-gapped PC, GoldenDealer takes the executables from the drive and runs them. No user interaction is needed because GoldenDealer is already running,” explains Porolli.

In its latest series of attacks against a government organisation in the European Union, GoldenJackal moved on from the original toolset to a new, highly modular one. This modular approach applied not only to the malicious tools, but also to the roles of victimised hosts within the compromised system: they were used, among other things, to collect and process interesting, likely confidential information, to distribute files, configurations, and commands to other systems, and to exfiltrate files.

For a more detailed analysis and technical breakdown of GoldenJackal’s tools, check out the latest ESET Research blog post “Mind the (air) gap: GoldenJackal gooses government guardrails  on WeLiveSecurity.com. Make sure to follow ESET Research on Twitter (today known as X) for the latest news from ESET Research.