CINXE.COM

Sednit Espionage Group Attacking Air-Gapped Networks

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="canonical" href="https://www.welivesecurity.com/2014/11/11/sednit-espionage-group-attacking-air-gapped-networks/"><title>Sednit Espionage Group Attacking Air-Gapped Networks</title><meta content="Sednit Espionage Group Attacking Air-Gapped Networks" property="og:title"><meta content="" property="og:image"><meta content="Research for ESET has uncovered a new technique for the Sednit espionage group, also known as the Sofacy group, that targets Air-Gapped networks." property="og:description"><meta content="https://www.welivesecurity.com/2014/11/11/sednit-espionage-group-attacking-air-gapped-networks/" property="og:url"><meta content="article" property="og:type"><meta name="robots" content="index, follow, max-image-preview:large, max-video-preview:-1"><meta name="description" content="Research for ESET has uncovered a new technique for the Sednit espionage group, also known as the Sofacy group, that targets Air-Gapped networks."><meta name="twitter:title" content="Sednit Espionage Group Attacking Air-Gapped Networks"><meta name="twitter:description" content="The Sednit espionage group, also known as the Sofacy group, APT28 or “Fancy Bear”, has been targeting various institutions for many years. We recently discovered a component the group employed to reach physically isolated computer networks -- “air-gapped” networks -- and exfiltrate sensitive files from them through removable drives."><meta name="twitter:image" content=""><meta name="twitter:card" content="summary"><meta name="twitter:site" content="@welivesecurity"><meta name="twitter:creator" content="@welivesecurity"><meta name="twitter:url" content="https://www.welivesecurity.com/2014/11/11/sednit-espionage-group-attacking-air-gapped-networks/"> <!-- Preloading resources --> <link rel="preload" href="https://www.welivesecurity.com/build/assets/FedraSansAltPro-BookLF-405f3258.woff" as="font" type="font/woff" crossorigin> <link rel="preload" href="https://www.welivesecurity.com/build/assets/FedraSansAltPro-BoldLF-31f4bc72.woff" as="font" type="font/woff" crossorigin> <link rel="preload" href="https://www.welivesecurity.com/build/assets/FedraSansAltPro-DemiLF-8885b886.woff" as="font" type="font/woff" crossorigin> <link rel="modulepreload" href="https://www.welivesecurity.com/build/assets/article-header-995fa639.js" /><script type="module" src="https://www.welivesecurity.com/build/assets/article-header-995fa639.js"></script> <script> window.addEventListener('pageLoaded', () => { window.dispatchEvent(new CustomEvent('postPageViewed', { detail: { 'id': 45, 'publicationId': 106, 'name': 'Sednit Espionage Group Attacking Air-Gapped Networks', 'author': 'Joan Calvet', 'category': 'Malware', 'section': null, 'branch': 'en', 'date': '2014/11/11' } })); }); </script> <!-- Google Tag Manager --> <script type="module"> window.addEventListener("pageLoaded", () => { (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= '//www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-PMDGSM'); }); </script> <!-- End Google Tag Manager --> <script type="module"> window.dispatchEvent(new CustomEvent("pageLoaded")); </script> <!-- Styles --> <link rel="preload" as="style" href="https://www.welivesecurity.com/build/assets/app-22f82615.css" /><link rel="stylesheet" href="https://www.welivesecurity.com/build/assets/app-22f82615.css" /> <!-- Others --> <script> window.$current_language = JSON.parse('{"id":1,"code":"en","name":"English","is_pblic":true,"is_active":true,"is_default":true,"is_rtl":false}'); </script> <script>(window.BOOMR_mq=window.BOOMR_mq||[]).push(["addVar",{"rua.upush":"false","rua.cpush":"false","rua.upre":"false","rua.cpre":"false","rua.uprl":"false","rua.cprl":"false","rua.cprf":"false","rua.trans":"","rua.cook":"false","rua.ims":"false","rua.ufprl":"false","rua.cfprl":"false","rua.isuxp":"false","rua.texp":"norulematch","rua.ceh":"false","rua.ueh":"false","rua.ieh.st":"0"}]);</script> <script>!function(e){var n="https://s.go-mpulse.net/boomerang/";if("False"=="True")e.BOOMR_config=e.BOOMR_config||{},e.BOOMR_config.PageParams=e.BOOMR_config.PageParams||{},e.BOOMR_config.PageParams.pci=!0,n="https://s2.go-mpulse.net/boomerang/";if(window.BOOMR_API_key="7R9SM-QGSYF-QDLJK-UETXR-SPM6B",function(){function e(){if(!o){var e=document.createElement("script");e.id="boomr-scr-as",e.src=window.BOOMR.url,e.async=!0,i.parentNode.appendChild(e),o=!0}}function t(e){o=!0;var n,t,a,r,d=document,O=window;if(window.BOOMR.snippetMethod=e?"if":"i",t=function(e,n){var t=d.createElement("script");t.id=n||"boomr-if-as",t.src=window.BOOMR.url,BOOMR_lstart=(new Date).getTime(),e=e||d.body,e.appendChild(t)},!window.addEventListener&&window.attachEvent&&navigator.userAgent.match(/MSIE [67]\./))return window.BOOMR.snippetMethod="s",void t(i.parentNode,"boomr-async");a=document.createElement("IFRAME"),a.src="about:blank",a.title="",a.role="presentation",a.loading="eager",r=(a.frameElement||a).style,r.width=0,r.height=0,r.border=0,r.display="none",i.parentNode.appendChild(a);try{O=a.contentWindow,d=O.document.open()}catch(_){n=document.domain,a.src="javascript:var d=document.open();d.domain='"+n+"';void(0);",O=a.contentWindow,d=O.document.open()}if(n)d._boomrl=function(){this.domain=n,t()},d.write("<bo"+"dy onload='document._boomrl();'>");else if(O._boomrl=function(){t()},O.addEventListener)O.addEventListener("load",O._boomrl,!1);else if(O.attachEvent)O.attachEvent("onload",O._boomrl);d.close()}function a(e){window.BOOMR_onload=e&&e.timeStamp||(new Date).getTime()}if(!window.BOOMR||!window.BOOMR.version&&!window.BOOMR.snippetExecuted){window.BOOMR=window.BOOMR||{},window.BOOMR.snippetStart=(new Date).getTime(),window.BOOMR.snippetExecuted=!0,window.BOOMR.snippetVersion=12,window.BOOMR.url=n+"7R9SM-QGSYF-QDLJK-UETXR-SPM6B";var i=document.currentScript||document.getElementsByTagName("script")[0],o=!1,r=document.createElement("link");if(r.relList&&"function"==typeof r.relList.supports&&r.relList.supports("preload")&&"as"in r)window.BOOMR.snippetMethod="p",r.href=window.BOOMR.url,r.rel="preload",r.as="script",r.addEventListener("load",e),r.addEventListener("error",function(){t(!0)}),setTimeout(function(){if(!o)t(!0)},3e3),BOOMR_lstart=(new Date).getTime(),i.parentNode.appendChild(r);else t(!1);if(window.addEventListener)window.addEventListener("load",a,!1);else if(window.attachEvent)window.attachEvent("onload",a)}}(),"".length>0)if(e&&"performance"in e&&e.performance&&"function"==typeof e.performance.setResourceTimingBufferSize)e.performance.setResourceTimingBufferSize();!function(){if(BOOMR=e.BOOMR||{},BOOMR.plugins=BOOMR.plugins||{},!BOOMR.plugins.AK){var n=""=="true"?1:0,t="",a="bdpnbeqxfyikaz2ekgeq-f-47051fe39-clientnsv4-s.akamaihd.net",i="false"=="true"?2:1,o={"ak.v":"39","ak.cp":"1251022","ak.ai":parseInt("757730",10),"ak.ol":"0","ak.cr":0,"ak.ipv":4,"ak.proto":"http/1.1","ak.rid":"188620e1","ak.r":36960,"ak.a2":n,"ak.m":"dscr","ak.n":"ff","ak.bpcip":"8.222.208.0","ak.cport":42676,"ak.gh":"23.46.16.156","ak.quicv":"","ak.tlsv":"tls1.2","ak.0rtt":"","ak.0rtt.ed":"","ak.csrc":"-","ak.acc":"reno","ak.t":"1732530569","ak.ak":"hOBiQwZUYzCg5VSAfCLimQ==AUx+wPb/xMS65kJwKCFL9srX4JVLL3Mi+WyNHk+gbl2XUrMBKhS0fFqEyKB4Zs8LTx8sRqybapV8iPnj1bmDF2kIS+F1wv7w3jlUlKlW0XOFh3Cw2MgBHZV/tPuKAASeiHvX0Cn2P+othG2CQSCAuDbIbaxXWLu+9mllAB/NGqH169seQXjyA2wcC2uyXyeAysJYCk5WgTTODlwcqxh3lhSFZBqBFMvpRrOyO35xoJ7jrWs+pVGcztjivaV6UpUyoO9HxX+BO3sJJuKZ3MGCu9YUBt5HvpdfupOFRccWJ3IGK1DlnIy3DWOsUeRQ8WtF1npg3yj8XvDph/wf3MyDnEXI+2BDhJyY0yXnyxUZat9+UUaOlvS+2S3AD944mUDX8nNH7PikprXfTb//+im12ahJdqkEYj7GrR1klN7jLX8=","ak.pv":"20","ak.dpoabenc":"","ak.tf":i};if(""!==t)o["ak.ruds"]=t;var r={i:!1,av:function(n){var t="http.initiator";if(n&&(!n[t]||"spa_hard"===n[t]))o["ak.feo"]=void 0!==e.aFeoApplied?1:0,BOOMR.addVar(o)},rv:function(){var e=["ak.bpcip","ak.cport","ak.cr","ak.csrc","ak.gh","ak.ipv","ak.m","ak.n","ak.ol","ak.proto","ak.quicv","ak.tlsv","ak.0rtt","ak.0rtt.ed","ak.r","ak.acc","ak.t","ak.tf"];BOOMR.removeVar(e)}};BOOMR.plugins.AK={akVars:o,akDNSPreFetchDomain:a,init:function(){if(!r.i){var e=BOOMR.subscribe;e("before_beacon",r.av,null,null),e("onbeacon",r.rv,null,null),r.i=!0}return this},is_complete:function(){return!0}}}}()}(window);</script></head> <body> <!-- Google Tag Manager (noscript) --> <noscript> <iframe src=https://www.googletagmanager.com/ns.html?id=GTM-PMDGSM height="0" width="0" style="display:none;visibility:hidden"></iframe> </noscript> <!-- End Google Tag Manager (noscript) --> <div id="app" > <!-- navbar --> <header id="wls-nav-header" class="wls-header navbar sticky-top navbar-expand-lg has-shadow"> <div class="container first-line"> <a class="header-brand" href="/en/" title="WeLiveSecurity"> <?xml version="1.0" encoding="UTF-8"?><svg id="Layer_2" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 290 31.7919"><defs><style>.cls-1{fill:#0b8690;}.cls-2{fill:#053b44;}</style></defs><g id="Layer_1-2"><g><path class="cls-2" d="M0,8.6081H5.1069l2.869,10.7299,3.3282-10.845h4.3616l3.3833,10.845,2.9261-10.7879h4.9947l-5.51,17.8465h-4.5336l-3.3833-10.903-3.5012,10.903H5.451L0,8.6081Zm26.6257,9.0093h0c0-5.1069,3.6153-9.2964,8.7792-9.2964,5.9102,0,8.6651,4.5907,8.6651,9.6405,0,.4021-.057,.8603-.057,1.3195h-12.3955c.3233,2.123,2.219,3.6443,4.3616,3.5003,1.6303,.0269,3.1951-.6409,4.3036-1.8367l2.8729,2.5259c-1.7441,2.1958-4.4284,3.4313-7.2306,3.3282-4.9064,.227-9.0678-3.5664-9.2947-8.4728-.0109-.236-.0124-.4724-.0045-.7085Zm12.5095-1.4916c-.29-2.2378-1.6066-3.7874-3.7303-3.7874s-3.4432,1.4916-3.8444,3.7874h7.5747Zm57.842,7.9179l2.1266-3.3282c1.5999,1.2513,3.5393,1.9923,5.566,2.1267,1.4345,0,2.1266-.5162,2.1266-1.3195v-.057c0-1.0904-1.7216-1.4345-3.6733-2.0658-2.4679-.7463-5.2789-1.8937-5.2789-5.3369v-.057c0-3.6153,2.9261-5.6231,6.4843-5.6231,2.3553,.0234,4.6511,.742,6.5994,2.0658l-1.8937,3.5003c-1.4459-.9422-3.1015-1.5139-4.8207-1.6646-1.2054,0-1.8366,.5162-1.8366,1.2054v.057c0,.9754,1.6646,1.4345,3.6153,2.1267,2.4679,.8033,5.3369,2.0087,5.3369,5.2789v.057c0,3.9633-2.9261,5.7381-6.7666,5.7381-2.7543-.0573-5.4158-1.006-7.5854-2.7037Zm15.4356-6.4264h0c0-5.1069,3.6153-9.2964,8.7792-9.2964,5.9102,0,8.6651,4.5907,8.6651,9.6405,0,.4021-.057,.8603-.057,1.3195h-12.3375c.3233,2.123,2.219,3.6443,4.3616,3.5003,1.6303,.0269,3.1951-.6409,4.3036-1.8367l2.869,2.5249c-1.744,2.1959-4.4283,3.4315-7.2306,3.3282-5.3901,.001-9.3534-3.7835-9.3534-9.1804Zm12.5095-1.4916c-.29-2.2378-1.6066-3.7874-3.7303-3.7874s-3.4432,1.4916-3.8444,3.7874h7.5747Zm6.1412,1.4906h0c-.0992-5.0349,3.9019-9.197,8.9368-9.2964h.3596c2.6878-.1539,5.2947,.9485,7.0566,2.9841l-3.0991,3.3282c-.9721-1.2277-2.4505-1.9458-4.0165-1.9507-2.5249,0-4.3036,2.2378-4.3036,4.8198v.057c0,2.697,1.7787,4.8778,4.4756,4.8778,1.5606-.0446,3.0342-.7295,4.0745-1.8937l2.9261,2.9841c-1.7686,2.1577-4.4423,3.3673-7.2306,3.2712-5.0035,.0682-9.115-3.9326-9.1832-8.9361,0-.0009,0-.0017,0-.0026,.0026-.0806,.0038-.1614,.0039-.2426Zm17.9606,2.5249V8.6642h5.0498v9.8706c0,2.4099,1.1474,3.6153,3.0411,3.6153s3.1562-1.2054,3.1562-3.6153V8.6071h5.0498V26.3386h-5.0498v-2.5249c-1.1459,1.7743-3.1079,2.8527-5.22,2.869-3.7893,.001-6.0271-2.4669-6.0271-6.5414Zm18.4767-11.5342h5.0498v3.5573c1.0324-2.4679,2.697-4.0165,5.6811-3.9024v5.2789h-.29c-3.3282,0-5.3939,2.0087-5.3939,6.2543v6.5414h-5.047V8.6071Zm12.5666,0h5.0498V26.3386h-5.0498V8.6071Zm8.9561,12.7396V12.9117h-2.1267v-4.3036h2.1267V4.0745h5.0498v4.5336h4.1885v4.3036h-4.1924v7.5747c0,1.1474,.5162,1.7216,1.6066,1.7216,.8637,.0094,1.7148-.2083,2.4679-.6312v4.0165c-1.1964,.7132-2.571,1.0716-3.9633,1.0334-3.0952,.057-5.1571-1.2054-5.1571-5.2799Zm11.4153,9.1813l1.6646-3.6153c.6415,.4009,1.372,.6373,2.1267,.6883,.7821,.0558,1.5071-.4118,1.7787-1.1474l-6.9474-17.7885h5.3369l4.0165,12.1074,3.8444-12.1074h5.22l-6.7666,18.1326c-1.3775,3.6153-2.812,4.9928-5.8531,4.9928-1.5664,.0294-3.1059-.4102-4.4205-1.2625ZM182.4783,1.3195c1.3945,0,2.5249,1.1304,2.5249,2.5249s-1.1304,2.5249-2.5249,2.5249-2.5249-1.1304-2.5249-2.5249,1.1304-2.5249,2.5249-2.5249Zm38.8471,2.754v2.1267h-.6312v-2.1267h-.8603v-.5162h2.3528v.4592h-.8603l-.0009,.057Zm4.0755,2.1238v-1.7796l-.8033,1.7787h-.6312l-.7463-1.7787,.057,.3441v1.3775h-.5732V3.5573h.7463l.8603,2.0658,.9753-2.0658h.6883v2.6399h-.5732Z" /><path class="cls-1" d="M46.2508,2.2378h5.0498V26.3956h-5.0498V2.2378Zm7.9189,6.3693h5.0498V26.3386h-5.0498V8.6071Zm6.5414,0h5.3369l3.9633,11.8783,4.0126-11.8783h5.22l-7.0005,17.8465h-4.5907l-6.9416-17.8465Zm17.9035,9.0102h0c0-5.1069,3.6153-9.2964,8.7792-9.2964,5.9102,0,8.6651,4.5907,8.6651,9.6405,0,.4021-.057,.8603-.057,1.3195h-12.3375c.3232,2.1226,2.2184,3.6438,4.3606,3.5003,1.6303,.0269,3.1951-.6409,4.3036-1.8367l2.869,2.5249c-1.744,2.1959-4.4283,3.4315-7.2306,3.3282-5.3891,.001-9.3524-3.7835-9.3524-9.1804Zm12.5095-1.4916c-.29-2.2378-1.6066-3.7874-3.7294-3.7874s-3.4432,1.4916-3.8444,3.7874h7.5738ZM56.6366,0c-1.7746,0-3.2132,1.4386-3.2132,3.2132,0,1.7746,1.4386,3.2132,3.2132,3.2132,1.7746,0,3.2132-1.4386,3.2132-3.2132h0c-.0188-1.7667-1.4464-3.1943-3.2132-3.2132Zm0,4.5907c-.7567-.0094-1.3677-.6208-1.3765-1.3775-.0202-.7605,.58-1.3933,1.3405-1.4135,.7605-.0202,1.3933,.58,1.4135,1.3405,.0006,.0243,.0006,.0487,0,.073-.0089,.7571-.6204,1.3686-1.3775,1.3775Zm191.3425,4.0213c-2.2021-.0287-4.2611,1.0885-5.4375,2.9502-.9299,1.6095-1.1339,4.233-1.1339,5.9711s.2049,4.3596,1.1339,5.9691c1.1767,1.8615,3.2355,2.9785,5.4375,2.9502h34.4972c2.2018,.0283,4.2603-1.0888,5.4365-2.9502,.928-1.6095,1.1349-4.233,1.1349-5.9711s-.2069-4.3567-1.1349-5.9662c-1.1762-1.8615-3.2347-2.9786-5.4365-2.9502l-34.4972-.0029Zm22.9572,7.9392h2.9v-.0899c0-1.3272-.5326-1.4268-1.4896-1.4268-1.16,0-1.3794,.377-1.4133,1.5167m-20.3859-1.4297c.9512,0,1.4635,.0967,1.4635,1.3997v.0628h-2.8487c.0319-1.1165,.2591-1.4626,1.3852-1.4626m-4.0233,2.463c0,3.1262,.783,4.2533,4.0745,4.2533,1.0071,.0751,2.0175-.0927,2.9464-.4891,.7808-.4894,1.2122-1.3829,1.1097-2.2987h-2.5965c-.0271,.8903-.6322,.9821-1.4626,.9821-1.1996,0-1.4336-.4833-1.4336-1.9788v-.0638h5.4887v-.405c0-3.4123-.9231-4.2668-4.06-4.2668-3.3553,0-4.0745,1.044-4.0745,4.2668m9.8793-1.5621c0,1.6665,.5742,2.4476,4.0735,2.4476,.3744-.0275,.7508,.0097,1.1126,.1102,.2736,.1199,.4021,.3586,.4021,.7927,0,.726-.2658,.8043-1.5128,.8043-.6931,0-1.3987-.0155-1.4307-.9502h-2.6438c.0203,1.8425,.8932,2.4447,2.5085,2.5732,.4882,.0377,1.0188,.0348,1.565,.0348,2.2233,0,4.0735-.3712,4.0735-2.7849,0-2.2997-1.1996-2.463-4.0745-2.5288-1.4268-.0319-1.5109-.3316-1.5109-.8043,0-.5616,.0619-.7405,1.5119-.7405,.5317,0,1.0633,.0474,1.1822,.7086h2.4882v-.3393c0-2.001-2.0967-2.03-3.6733-2.03-2.3625,0-4.0735,.0532-4.0735,2.7066m21.6744-2.7066h6.5018v1.9005h-1.9333v6.525h-2.6274v-6.524h-1.9333l-.0077-1.9014Zm-9.7275,4.2059c0-3.2122,.7086-4.2398,4.0464-4.2398,3.1194,0,4.031,.842,4.031,4.2398v.376h-5.4896v.0909c0,1.4945,.2359,2.0058,1.4587,2.0058,.8226,0,1.45-.0909,1.4896-.9821h2.5413c.0948,.8946-.3269,1.7653-1.0875,2.2456-.9243,.3931-1.9294,.5588-2.9309,.4833-3.276,0-4.0464-1.1088-4.0464-4.2224m-23.7624,5.7874c-1.3214-1.421-1.6134-3.652-1.6134-5.7739s.29-4.35,1.6134-5.7758c1.0333-.9868,2.3994-1.5498,3.828-1.5776h17.7865v14.7048h-17.7865c-1.4285-.0278-2.7946-.5908-3.828-1.5776m43.7423-16.12c.0004-.036-.009-.0714-.0271-.1025-.0116-.0387-.0445-.0628-.086-.0899-.0385-.0194-.0807-.0303-.1237-.0319-.0559-.0087-.1126-.0123-.1692-.0106h-.1508v.5394h.115c.0678,.0013,.1357-.0022,.203-.0106,.0495-.0114,.0968-.0307,.1402-.057,.0317-.0265,.0574-.0594,.0754-.0967,.016-.0456,.0235-.0938,.0222-.1421m.8226,1.3533h-.61l-.5742-.7086h-.1933v.7066h-.4679v-1.913h.7269c.1085-.0031,.2172,.0024,.3248,.0164,.0855,.0088,.1681,.0355,.2426,.0783,.0789,.0405,.1456,.1012,.1933,.1759,.0425,.0819,.0625,.1737,.058,.2658,.0044,.1242-.0384,.2454-.1199,.3393-.0832,.0952-.1884,.1685-.3064,.2136l.7259,.8255Zm.4186-.9203c.0053-.4029-.1547-.7903-.4427-1.072-.2749-.2868-.6574-.4452-1.0546-.4369-.3998-.0086-.7851,.1497-1.0633,.4369-.5856,.5955-.5856,1.5505,0,2.146,.5715,.5851,1.5091,.5962,2.0942,.0247,.0083-.0081,.0166-.0164,.0247-.0247,.289-.2818,.4492-.6703,.4427-1.074m.4253,0c.0069,.5131-.1972,1.0066-.5645,1.3649-.7536,.747-1.9685,.747-2.7221,0-.3705-.3563-.5758-.851-.5665-1.3649-.0083-.5104,.1971-1.001,.5665-1.3533,.7441-.75,1.955-.7561,2.7066-.0135l.0135,.0135c.3662,.3543,.5704,.8438,.5645,1.3533m-64.0238,6.7637h2.1044c1.5563,0,2.32,.6206,2.32,1.74,.0109,.539-.2936,1.0349-.7791,1.2692v.0242c.7243,.1716,1.2395,.8131,1.2509,1.5573,0,1.16-.6767,1.9652-2.5133,1.9652h-2.3828v-6.5559Zm2.0483,2.7588c.7414,0,1.1126-.2591,1.1126-.8893,0-.6767-.4456-.899-1.2799-.899h-.6109v1.7883h.7782Zm.2127,2.7898c.87,0,1.362-.2223,1.362-.9261s-.5007-.9667-1.4829-.9667h-.87v1.8908l.9908,.0019Zm4.9406-1.248l-2.32-4.3007h1.4548l1.5418,3.2267,1.6433-3.2248h1.4084l-2.4659,4.2726v2.2775h-1.2566l-.0058-2.2514Z" /></g></g></svg> </a> <p> Award-winning news, views, and insight from the ESET security community </p> <div class="ms-auto"> <div class="language-picker dropdown"><div class="language-picker-wrapper"><button class="btn dropdown-toggle" type="button" data-bs-toggle="dropdown"aria-expanded="false">English</button><ul class="dropdown-menu dropdown-menu-center"><a class="dropdown-item" href="/es/" title="Español">Español</a><a class="dropdown-item" href="/de/" title="Deutsch">Deutsch</a><a class="dropdown-item" href="/pt/" title="Português">Português</a><a class="dropdown-item" href="/fr/" title="Français">Français</a></ul></div></div> </div> </div> <div class="second-line"> <div class="container"> <div class="navbar-header"> <a class="header-brand" href="/en/" title="WeLiveSecurity"> <?xml version="1.0" encoding="UTF-8"?><svg id="Layer_2" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 290 31.7919"><defs><style>.cls-1{fill:#0b8690;}.cls-2{fill:#053b44;}</style></defs><g id="Layer_1-2"><g><path class="cls-2" d="M0,8.6081H5.1069l2.869,10.7299,3.3282-10.845h4.3616l3.3833,10.845,2.9261-10.7879h4.9947l-5.51,17.8465h-4.5336l-3.3833-10.903-3.5012,10.903H5.451L0,8.6081Zm26.6257,9.0093h0c0-5.1069,3.6153-9.2964,8.7792-9.2964,5.9102,0,8.6651,4.5907,8.6651,9.6405,0,.4021-.057,.8603-.057,1.3195h-12.3955c.3233,2.123,2.219,3.6443,4.3616,3.5003,1.6303,.0269,3.1951-.6409,4.3036-1.8367l2.8729,2.5259c-1.7441,2.1958-4.4284,3.4313-7.2306,3.3282-4.9064,.227-9.0678-3.5664-9.2947-8.4728-.0109-.236-.0124-.4724-.0045-.7085Zm12.5095-1.4916c-.29-2.2378-1.6066-3.7874-3.7303-3.7874s-3.4432,1.4916-3.8444,3.7874h7.5747Zm57.842,7.9179l2.1266-3.3282c1.5999,1.2513,3.5393,1.9923,5.566,2.1267,1.4345,0,2.1266-.5162,2.1266-1.3195v-.057c0-1.0904-1.7216-1.4345-3.6733-2.0658-2.4679-.7463-5.2789-1.8937-5.2789-5.3369v-.057c0-3.6153,2.9261-5.6231,6.4843-5.6231,2.3553,.0234,4.6511,.742,6.5994,2.0658l-1.8937,3.5003c-1.4459-.9422-3.1015-1.5139-4.8207-1.6646-1.2054,0-1.8366,.5162-1.8366,1.2054v.057c0,.9754,1.6646,1.4345,3.6153,2.1267,2.4679,.8033,5.3369,2.0087,5.3369,5.2789v.057c0,3.9633-2.9261,5.7381-6.7666,5.7381-2.7543-.0573-5.4158-1.006-7.5854-2.7037Zm15.4356-6.4264h0c0-5.1069,3.6153-9.2964,8.7792-9.2964,5.9102,0,8.6651,4.5907,8.6651,9.6405,0,.4021-.057,.8603-.057,1.3195h-12.3375c.3233,2.123,2.219,3.6443,4.3616,3.5003,1.6303,.0269,3.1951-.6409,4.3036-1.8367l2.869,2.5249c-1.744,2.1959-4.4283,3.4315-7.2306,3.3282-5.3901,.001-9.3534-3.7835-9.3534-9.1804Zm12.5095-1.4916c-.29-2.2378-1.6066-3.7874-3.7303-3.7874s-3.4432,1.4916-3.8444,3.7874h7.5747Zm6.1412,1.4906h0c-.0992-5.0349,3.9019-9.197,8.9368-9.2964h.3596c2.6878-.1539,5.2947,.9485,7.0566,2.9841l-3.0991,3.3282c-.9721-1.2277-2.4505-1.9458-4.0165-1.9507-2.5249,0-4.3036,2.2378-4.3036,4.8198v.057c0,2.697,1.7787,4.8778,4.4756,4.8778,1.5606-.0446,3.0342-.7295,4.0745-1.8937l2.9261,2.9841c-1.7686,2.1577-4.4423,3.3673-7.2306,3.2712-5.0035,.0682-9.115-3.9326-9.1832-8.9361,0-.0009,0-.0017,0-.0026,.0026-.0806,.0038-.1614,.0039-.2426Zm17.9606,2.5249V8.6642h5.0498v9.8706c0,2.4099,1.1474,3.6153,3.0411,3.6153s3.1562-1.2054,3.1562-3.6153V8.6071h5.0498V26.3386h-5.0498v-2.5249c-1.1459,1.7743-3.1079,2.8527-5.22,2.869-3.7893,.001-6.0271-2.4669-6.0271-6.5414Zm18.4767-11.5342h5.0498v3.5573c1.0324-2.4679,2.697-4.0165,5.6811-3.9024v5.2789h-.29c-3.3282,0-5.3939,2.0087-5.3939,6.2543v6.5414h-5.047V8.6071Zm12.5666,0h5.0498V26.3386h-5.0498V8.6071Zm8.9561,12.7396V12.9117h-2.1267v-4.3036h2.1267V4.0745h5.0498v4.5336h4.1885v4.3036h-4.1924v7.5747c0,1.1474,.5162,1.7216,1.6066,1.7216,.8637,.0094,1.7148-.2083,2.4679-.6312v4.0165c-1.1964,.7132-2.571,1.0716-3.9633,1.0334-3.0952,.057-5.1571-1.2054-5.1571-5.2799Zm11.4153,9.1813l1.6646-3.6153c.6415,.4009,1.372,.6373,2.1267,.6883,.7821,.0558,1.5071-.4118,1.7787-1.1474l-6.9474-17.7885h5.3369l4.0165,12.1074,3.8444-12.1074h5.22l-6.7666,18.1326c-1.3775,3.6153-2.812,4.9928-5.8531,4.9928-1.5664,.0294-3.1059-.4102-4.4205-1.2625ZM182.4783,1.3195c1.3945,0,2.5249,1.1304,2.5249,2.5249s-1.1304,2.5249-2.5249,2.5249-2.5249-1.1304-2.5249-2.5249,1.1304-2.5249,2.5249-2.5249Zm38.8471,2.754v2.1267h-.6312v-2.1267h-.8603v-.5162h2.3528v.4592h-.8603l-.0009,.057Zm4.0755,2.1238v-1.7796l-.8033,1.7787h-.6312l-.7463-1.7787,.057,.3441v1.3775h-.5732V3.5573h.7463l.8603,2.0658,.9753-2.0658h.6883v2.6399h-.5732Z" /><path class="cls-1" d="M46.2508,2.2378h5.0498V26.3956h-5.0498V2.2378Zm7.9189,6.3693h5.0498V26.3386h-5.0498V8.6071Zm6.5414,0h5.3369l3.9633,11.8783,4.0126-11.8783h5.22l-7.0005,17.8465h-4.5907l-6.9416-17.8465Zm17.9035,9.0102h0c0-5.1069,3.6153-9.2964,8.7792-9.2964,5.9102,0,8.6651,4.5907,8.6651,9.6405,0,.4021-.057,.8603-.057,1.3195h-12.3375c.3232,2.1226,2.2184,3.6438,4.3606,3.5003,1.6303,.0269,3.1951-.6409,4.3036-1.8367l2.869,2.5249c-1.744,2.1959-4.4283,3.4315-7.2306,3.3282-5.3891,.001-9.3524-3.7835-9.3524-9.1804Zm12.5095-1.4916c-.29-2.2378-1.6066-3.7874-3.7294-3.7874s-3.4432,1.4916-3.8444,3.7874h7.5738ZM56.6366,0c-1.7746,0-3.2132,1.4386-3.2132,3.2132,0,1.7746,1.4386,3.2132,3.2132,3.2132,1.7746,0,3.2132-1.4386,3.2132-3.2132h0c-.0188-1.7667-1.4464-3.1943-3.2132-3.2132Zm0,4.5907c-.7567-.0094-1.3677-.6208-1.3765-1.3775-.0202-.7605,.58-1.3933,1.3405-1.4135,.7605-.0202,1.3933,.58,1.4135,1.3405,.0006,.0243,.0006,.0487,0,.073-.0089,.7571-.6204,1.3686-1.3775,1.3775Zm191.3425,4.0213c-2.2021-.0287-4.2611,1.0885-5.4375,2.9502-.9299,1.6095-1.1339,4.233-1.1339,5.9711s.2049,4.3596,1.1339,5.9691c1.1767,1.8615,3.2355,2.9785,5.4375,2.9502h34.4972c2.2018,.0283,4.2603-1.0888,5.4365-2.9502,.928-1.6095,1.1349-4.233,1.1349-5.9711s-.2069-4.3567-1.1349-5.9662c-1.1762-1.8615-3.2347-2.9786-5.4365-2.9502l-34.4972-.0029Zm22.9572,7.9392h2.9v-.0899c0-1.3272-.5326-1.4268-1.4896-1.4268-1.16,0-1.3794,.377-1.4133,1.5167m-20.3859-1.4297c.9512,0,1.4635,.0967,1.4635,1.3997v.0628h-2.8487c.0319-1.1165,.2591-1.4626,1.3852-1.4626m-4.0233,2.463c0,3.1262,.783,4.2533,4.0745,4.2533,1.0071,.0751,2.0175-.0927,2.9464-.4891,.7808-.4894,1.2122-1.3829,1.1097-2.2987h-2.5965c-.0271,.8903-.6322,.9821-1.4626,.9821-1.1996,0-1.4336-.4833-1.4336-1.9788v-.0638h5.4887v-.405c0-3.4123-.9231-4.2668-4.06-4.2668-3.3553,0-4.0745,1.044-4.0745,4.2668m9.8793-1.5621c0,1.6665,.5742,2.4476,4.0735,2.4476,.3744-.0275,.7508,.0097,1.1126,.1102,.2736,.1199,.4021,.3586,.4021,.7927,0,.726-.2658,.8043-1.5128,.8043-.6931,0-1.3987-.0155-1.4307-.9502h-2.6438c.0203,1.8425,.8932,2.4447,2.5085,2.5732,.4882,.0377,1.0188,.0348,1.565,.0348,2.2233,0,4.0735-.3712,4.0735-2.7849,0-2.2997-1.1996-2.463-4.0745-2.5288-1.4268-.0319-1.5109-.3316-1.5109-.8043,0-.5616,.0619-.7405,1.5119-.7405,.5317,0,1.0633,.0474,1.1822,.7086h2.4882v-.3393c0-2.001-2.0967-2.03-3.6733-2.03-2.3625,0-4.0735,.0532-4.0735,2.7066m21.6744-2.7066h6.5018v1.9005h-1.9333v6.525h-2.6274v-6.524h-1.9333l-.0077-1.9014Zm-9.7275,4.2059c0-3.2122,.7086-4.2398,4.0464-4.2398,3.1194,0,4.031,.842,4.031,4.2398v.376h-5.4896v.0909c0,1.4945,.2359,2.0058,1.4587,2.0058,.8226,0,1.45-.0909,1.4896-.9821h2.5413c.0948,.8946-.3269,1.7653-1.0875,2.2456-.9243,.3931-1.9294,.5588-2.9309,.4833-3.276,0-4.0464-1.1088-4.0464-4.2224m-23.7624,5.7874c-1.3214-1.421-1.6134-3.652-1.6134-5.7739s.29-4.35,1.6134-5.7758c1.0333-.9868,2.3994-1.5498,3.828-1.5776h17.7865v14.7048h-17.7865c-1.4285-.0278-2.7946-.5908-3.828-1.5776m43.7423-16.12c.0004-.036-.009-.0714-.0271-.1025-.0116-.0387-.0445-.0628-.086-.0899-.0385-.0194-.0807-.0303-.1237-.0319-.0559-.0087-.1126-.0123-.1692-.0106h-.1508v.5394h.115c.0678,.0013,.1357-.0022,.203-.0106,.0495-.0114,.0968-.0307,.1402-.057,.0317-.0265,.0574-.0594,.0754-.0967,.016-.0456,.0235-.0938,.0222-.1421m.8226,1.3533h-.61l-.5742-.7086h-.1933v.7066h-.4679v-1.913h.7269c.1085-.0031,.2172,.0024,.3248,.0164,.0855,.0088,.1681,.0355,.2426,.0783,.0789,.0405,.1456,.1012,.1933,.1759,.0425,.0819,.0625,.1737,.058,.2658,.0044,.1242-.0384,.2454-.1199,.3393-.0832,.0952-.1884,.1685-.3064,.2136l.7259,.8255Zm.4186-.9203c.0053-.4029-.1547-.7903-.4427-1.072-.2749-.2868-.6574-.4452-1.0546-.4369-.3998-.0086-.7851,.1497-1.0633,.4369-.5856,.5955-.5856,1.5505,0,2.146,.5715,.5851,1.5091,.5962,2.0942,.0247,.0083-.0081,.0166-.0164,.0247-.0247,.289-.2818,.4492-.6703,.4427-1.074m.4253,0c.0069,.5131-.1972,1.0066-.5645,1.3649-.7536,.747-1.9685,.747-2.7221,0-.3705-.3563-.5758-.851-.5665-1.3649-.0083-.5104,.1971-1.001,.5665-1.3533,.7441-.75,1.955-.7561,2.7066-.0135l.0135,.0135c.3662,.3543,.5704,.8438,.5645,1.3533m-64.0238,6.7637h2.1044c1.5563,0,2.32,.6206,2.32,1.74,.0109,.539-.2936,1.0349-.7791,1.2692v.0242c.7243,.1716,1.2395,.8131,1.2509,1.5573,0,1.16-.6767,1.9652-2.5133,1.9652h-2.3828v-6.5559Zm2.0483,2.7588c.7414,0,1.1126-.2591,1.1126-.8893,0-.6767-.4456-.899-1.2799-.899h-.6109v1.7883h.7782Zm.2127,2.7898c.87,0,1.362-.2223,1.362-.9261s-.5007-.9667-1.4829-.9667h-.87v1.8908l.9908,.0019Zm4.9406-1.248l-2.32-4.3007h1.4548l1.5418,3.2267,1.6433-3.2248h1.4084l-2.4659,4.2726v2.2775h-1.2566l-.0058-2.2514Z" /></g></g></svg> </a> <div class="me-2"> <button class=" navbar-toggler button-hamburger collapsed d-flex d-lg-none flex-column justify-content-around" type="button" data-bs-toggle="collapse" data-bs-target="#navbarNavDropdown" aria-controls="navbarNavDropdown" aria-expanded="false" aria-label="This is toggle button"><span class="toggler-icon top-bar"></span><span class="toggler-icon middle-bar"></span><span class="toggler-icon bottom-bar"></span></button> </div> </div> <nav id="navbarNavDropdown" class="collapse navbar-collapse page-navbar"><ul class="navbar-nav"><li class="nav-item d-lg-none"><div class="search-bar-input"><search-bar-component placeholder="Search WeLiveSecurity"class="search-bar-component-wrapper"></search-bar-component></div></li><li class="nav-item"><a class="nav-link" href="/en/tips-advice/" title="TIPS &amp; ADVICE"><span class="">TIPS &amp; ADVICE</span></a></li><hr class="articles-card-divider px-0 m-0" /><li class="nav-item"><a class="nav-link" href="/en/business-security/" title="BUSINESS SECURITY"><span class="">BUSINESS SECURITY</span></a></li><hr class="articles-card-divider px-0 m-0" /><li class="nav-item dropdown"><a class="nav-link dropdown-toggle" href="" title="ESET RESEARCH" role="button" data-bs-toggle="dropdown"aria-expanded="false">ESET RESEARCH</a><div class="dropdown-menu dropdown-menu-center"><div class="dropdown-items-wrapper"><a class="dropdown-item" href="/en/about-eset-research/" title="About ESET Research"><span class="">About ESET Research</span></a><a class="dropdown-item" href="/en/eset-research/" title="Blogposts"><span class="">Blogposts</span></a><a class="dropdown-item" href="/en/podcasts/" title="Podcasts"><span class="">Podcasts</span></a><a class="dropdown-item" href="/en/white-papers/" title="White papers"><span class="">White papers</span></a><a class="dropdown-item" href="/en/threat-reports/" title="Threat reports"><span class="">Threat reports</span></a></div></div></li><hr class="articles-card-divider px-0 m-0" /><li class="nav-item"><a class="nav-link" href="/en/we-live-science/" title="WeLiveScience"><span class="button-link">WeLiveScience</span></a></li><hr class="articles-card-divider px-0 m-0" /><li class="nav-item dropdown"><a class="nav-link dropdown-toggle" href="" title="FEATURED" role="button" data-bs-toggle="dropdown"aria-expanded="false">FEATURED</a><div class="dropdown-menu dropdown-menu-center"><div class="dropdown-items-wrapper"><a class="dropdown-item" href="/en/ukraine-crisis-digital-security-resource-center/" title="Ukraine crisis – Digital security resource center"><span class="">Ukraine crisis – Digital security resource center</span></a><a class="dropdown-item" href="/en/we-live-progress/" title="WeLiveProgress"><span class="">WeLiveProgress</span></a><a class="dropdown-item" href="/en/covid-19/" title="COVID-19"><span class="">COVID-19</span></a><a class="dropdown-item" href="/en/resources/" title="Resources"><span class="">Resources</span></a><a class="dropdown-item" href="/en/videos/" title="Videos"><span class="">Videos</span></a></div></div></li><hr class="articles-card-divider px-0 m-0" /><li class="nav-item dropdown"><a class="nav-link dropdown-toggle" href="" title="TOPICS" role="button" data-bs-toggle="dropdown"aria-expanded="false">TOPICS</a><div class="dropdown-menu dropdown-menu-center"><div class="dropdown-items-wrapper"><a class="dropdown-item" href="/en/cybersecurity/" title="Digital Security"><span class="">Digital Security</span></a><a class="dropdown-item" href="/en/scams/" title="Scams"><span class="">Scams</span></a><a class="dropdown-item" href="/en/how-to/" title="How to"><span class="">How to</span></a><a class="dropdown-item" href="/en/privacy/" title="Privacy"><span class="">Privacy</span></a><a class="dropdown-item" href="/en/cybercrime/" title="Cybercrime"><span class="">Cybercrime</span></a><a class="dropdown-item" href="/en/kids-online/" title="Kids online"><span class="">Kids online</span></a><a class="dropdown-item" href="/en/social-media/" title="Social media"><span class="">Social media</span></a><a class="dropdown-item" href="/en/internet-of-things/" title="Internet of Things"><span class="">Internet of Things</span></a><a class="dropdown-item" href="/en/malware/" title="Malware"><span class="">Malware</span></a><a class="dropdown-item" href="/en/ransomware/" title="Ransomware"><span class="">Ransomware</span></a><a class="dropdown-item" href="/en/secure-coding/" title="Secure coding"><span class="">Secure coding</span></a><a class="dropdown-item" href="/en/mobile-security/" title="Mobile security"><span class="">Mobile security</span></a><a class="dropdown-item" href="/en/critical-infrastructure/" title="Critical infrastructure"><span class="">Critical infrastructure</span></a><a class="dropdown-item" href="/en/about-eset-research/" title="Threat research"><span class="">Threat research</span></a></div></div></li><hr class="articles-card-divider px-0 m-0" /><li class="nav-item dropdown"><a class="nav-link dropdown-toggle" href="" title="ABOUT US" role="button" data-bs-toggle="dropdown"aria-expanded="false">ABOUT US</a><div class="dropdown-menu dropdown-menu-center"><div class="dropdown-items-wrapper"><a class="dropdown-item" href="/en/company/about-us/" title="About WeLiveSecurity"><span class="">About WeLiveSecurity</span></a><a class="dropdown-item" href="/en/our-experts/" title="Our Experts"><span class="">Our Experts</span></a><a class="dropdown-item" href="/en/company/contact-us/" title="Contact Us"><span class="">Contact Us</span></a></div></div></li><hr class="articles-card-divider px-0 m-0" /><li class="nav-item dropdown d-lg-none"><a class="nav-link dropdown-toggle languages" href="/en/" title="English" role="button"data-bs-toggle="dropdown" aria-expanded="false">English</a><div class="dropdown-menu dropdown-menu-center"><div class="dropdown-items-wrapper"><a class="dropdown-item" href="/es/" title="Español">Español</a><a class="dropdown-item" href="/de/" title="Deutsch">Deutsch</a><a class="dropdown-item" href="/pt/" title="Português">Português</a><a class="dropdown-item" href="/fr/" title="Français">Français</a></div></div></li><li class="nav-item ms-auto d-none d-lg-block"><button class="nav-link ms-auto search-button-close" type="button" data-bs-toggle="collapse"data-bs-target=".search-bar-wrapper" aria-expanded="false"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 19.9485 19.9001" fill="#424D56"><path d="m19.5429,17.9473l-4.86-4.852c2.7034-3.5802,1.9927-8.674-1.5874-11.3774C9.5153-.9856,4.4214-.2749,1.718,3.3053-.9854,6.8854-.2747,11.9793,3.3055,14.6827c1.4094,1.0643,3.1273,1.6402,4.8934,1.6406,1.7749.0083,3.5023-.5739,4.91-1.655l4.883,4.829c.207.2113.4912.329.787.326.2948-.0022.5771-.1191.787-.326.4163-.4365.406-1.126-.023-1.55Zm-11.316-3.821c-3.2811-.0017-5.9396-2.663-5.9378-5.9442.0017-3.2811,2.663-5.9396,5.9442-5.9378,1.5726.0008,3.0806.6251,4.1937,1.736,1.1259,1.1056,1.7528,2.6221,1.736,4.2-.0007,1.5744-.6249,3.0845-1.736,4.2-1.1067,1.1254-2.6216,1.7552-4.2,1.746Z" /></svg></button></li></ul><div class="search-bar"><div class="collapse search-bar-wrapper"><div class="search-bar-input"><search-bar-component placeholder="Search WeLiveSecurity"class="search-bar-component-wrapper"></search-bar-component><button class="nav-link search-button-close" type="button" data-bs-toggle="collapse"data-bs-target=".search-bar-wrapper" aria-expanded="false"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 18.1065 18.0626"><polygon points="10.6883 9.0363 17.4683 15.8163 15.8383 17.4463 9.0583 10.6663 2.2683 17.4463 .6383 15.8163 7.4283 9.0363 .6383 2.2463 2.2683 .6163 9.0583 7.4063 15.8383 .6163 17.4683 2.2463 10.6883 9.0363" /></svg></button></div></div></div></nav> </div> </div> <div class="additional-info d-none"> <div class="container"> <p> Award-winning news, views, and insight from the ESET security community </p> </div> </div> </header> <!-- main content --> <div id="main"> <div class="container article-page py-5"> <div class="row"> <div class="col col-lg-8 pe-lg-0"> <div class="article-header"> <p class="category text-uppercase">Malware</p> <h1 class="page-headline">Sednit Espionage Group Attacking Air-Gapped Networks</h1> <p class="sub-title">The Sednit espionage group, also known as the Sofacy group, APT28 or “Fancy Bear”, has been targeting various institutions for many years. We recently discovered a component the group employed to reach physically isolated computer networks -- “air-gapped” networks -- and exfiltrate sensitive files from them through removable drives.</p> <div class="article-authors d-flex flex-wrap"><div class="article-author d-flex"><a href="/en/our-experts/joan-calvet/" title="Joan Calvet"><picture><source srcset="https://web-assets.esetstatic.com/tn/-x45/wls/2014/04/joan_calvet_edit.jpg" media="(max-width: 768px)" /><img class="author-image me-3" src="https://web-assets.esetstatic.com/tn/-x45/wls/2014/04/joan_calvet_edit.jpg" alt="Joan Calvet" /></picture></a><div class="author-text"><p><a href="/en/our-experts/joan-calvet/" title="Joan Calvet"><b>Joan Calvet</b></a></p></div></div></div> <p class="article-info mb-5"> <span>11 Nov 2014</span> <span class="d-none d-lg-inline">&nbsp;&bull;&nbsp;</span> <span class="d-inline d-lg-none">, </span> <span>9 min. read</span> </p> </div> <div class="article-body"> <p>The Sednit espionage group, also known as the Sofacy group, APT28 or “Fancy Bear”, has been targeting various institutions for many years. We recently discovered a component the group employed to reach physically isolated computer networks -- “air-gapped” networks -- and exfiltrate sensitive files from them through removable drives.</p> <h1>Introduction</h1> <p>Last month ESET discovered that <a href="/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/">the Sednit group was performing watering-hole attacks using a custom-built exploit kit</a>. Over the last few weeks several pieces of intelligence have been shared on this group, including the <a href="http://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/pawn-storm-espionage-attacks-use-decoys-deliver-sednit">Operation Pawn Storm</a> report from Trend Micro and the <a href="http://www.fireeye.com/resources/pdfs/apt28.pdf">APT28</a> report from FireEye.</p> <p>In this blog post, we are sharing knowledge of a tool employed to extract sensitive information from air-gapped networks. ESET detects it as <a href="http://www.virusradar.com/en/Win32_USBStealer/detail">Win32/USBStealer</a>.</p> <p>We believe the Sednit group has been using this tool at least since 2005, and is still using it today against their usual types of target, namely governmental institutions in Eastern Europe. Several versions of the tool have been employed over the past few years, with various degrees of complexity.</p> <h1>Win32/USBStealer strategy</h1> <p>A common security measure for sensitive computer networks is to have them totally isolated from the outside world via an “air gap”. As the name implies, these networks do not possess any direct, outside connections to the Internet.</p> <p>However, the use of removable drives can create paths to the outside world. This is particularly true when the same removable drive is repeatedly plugged into both Internet-connected machines and air-gapped machines, such as when transferring files.</p> <p>This is the scenario that is exploited by Win32/USBStealer in order to reach air-gapped networks. The following image presents a high-level overview of this strategy in the simple case of just two computers. Computer A is connected to the Internet and is initially infected with the Win32/USBStealer <a href="http://www.virusradar.com/en/glossary/dropper-trojan">dropper</a>, whereas Computer B is physically isolated and becomes infected with Win32/USBStealer during the attack.</p> <p><div class="caption center"><a href="https://web-assets.esetstatic.com/wls/2014/11/Figure_1_infographic.jpg"><img class="wp-image-53970" src="https://web-assets.esetstatic.com/wls/2014/11/Figure_1_infographic.jpg" alt="Figure 1 - Attack Scenario" width="640" height="453" /></a><p class="caption-text">Figure 1 - Attack Scenario</p></div></p> <p>In this scenario a same removable drive goes back and forth between the Internet-connected Computer A and the air-gapped Computer B. We are now going to explain each step of this attack in more detail. We focus here on the most complex version of Win32/USBStealer observed.</p> <h1>Step 1: First insertion in Computer A</h1> <p>Computer A is initially infected with the Win32/USBStealer dropper, detected as Win32/USBStealer.D by ESET. The dropper file name is <span style="font-family: 'courier new', courier;">USBSRService.exe</span>, and it tries to mimic a legitimate Russian program called <a href="https://ru.wikipedia.org/wiki/USB_Disk_Security">USB Disk Security</a>, as shown below.</p> <p><div class="caption center"><a href="https://web-assets.esetstatic.com/wls/2014/11/Figure_2_USBSRService_details.png"><img class="size-full wp-image-53971" src="https://web-assets.esetstatic.com/wls/2014/11/Figure_2_USBSRService_details.png" alt="Figure 2 - Win32/USBStealer Dropper Metadata" width="324" height="298" /></a><p class="caption-text">Figure 2 - Win32/USBStealer Dropper Metadata</p></div></p> <p>The main logic of the dropper is as follows:</p> <ul> <li>It monitors the insertion of removable drives into the machine by creating a window with a <a href="http://msdn.microsoft.com/en-us/library/windows/desktop/ms633573(v=vs.85).aspx">callback</a> that will be notified when such events occur.</li> <li>Once a removable drive is inserted, the dropper decrypts two of its resources in memory. The first one drops the program Win32/USBStealer onto the removable drive under the name “<span style="font-family: 'courier new', courier;">USBGuard.exe</span>”. The second resource is an <span style="font-family: 'courier new', courier;">AUTORUN.INF</span> file whose content is shown below.</li> </ul> <p><span style="font-family: 'courier new', courier;">[autorun]</span></p> <p><span style="font-family: 'courier new', courier;">open=</span></p> <p><span style="font-family: 'courier new', courier;">shell\open=Explore</span></p> <p><span style="font-family: 'courier new', courier;">shell\open\command="System Volume Information\USBGuard.exe" install</span></p> <p><span style="font-family: 'courier new', courier;">shell\open\Default=1</span></p> <ul> <li>This file is dropped onto the removable drive root. It ensures that double-clicking on the drive executes USBGuard.exe, as well as clicking on the first right-click option (renamed “<em>Explore</em>” instead of “<em>Open</em>”). This will only work on computers with Windows AutoRun feature enabled, which was deactivated by the Windows update <a href="http://support.microsoft.com/kb/971029">KB971029</a> in August 2009. It may seem a long time ago, but we believe Win32/USBStealer started to propagate at least four years before that period. Moreover, it is common for machines in air-gapped networks to be out-to-date, because they can be hard to update and they are assumed to be unreachable by attackers.</li> </ul> <ul> <li>Finally, an empty file named “destktop.in” is dropped onto the removable drive. It will serve as a sign for other infected machines that this drive has been connected to an Internet-connected machine at some point. In other words, the drive is a potential path to the outside world for air-gapped machines.</li> </ul> <p>Overall, the dropper takes great care not to attract attention. For example, both the <span style="font-family: 'courier new', courier;">AUTORUN.INF</span> and <span style="font-family: 'courier new', courier;">USBGuard.exe</span> files have their last-access and last-write timestamps set to those of a standard Windows library chosen on the system. Also, the two decrypted resources are immediately re-encrypted in memory after having been dropped on the removable drive. Finally, all dropped files are set with hidden and system file attributes, to help ensure that they will remain undetected by casual users.</p> <h1><span lang="EN-US">Step 2: First insertion in Computer B</span></h1> <p>When the USB drive is inserted in Computer B, which has AutoRun enabled, Win32/USBStealer installs itself. It then enumerates all drives connected to the machine and, depending on the drive’s type, it executes a different logic:</p> <ul> <li>If the drive is removable and has been marked as having being connected to an Internet-capable machine (thanks to the dropped <span style="font-family: 'courier new', courier;">desktop.in</span> file in step 1), Computer B registers itself on the drive by creating a folder with its computer name. This registration will allow the operators to map the reachable machines when the drive comes back to Computer A.</li> </ul> <p style="padding-left: 30px;">Computer B also keeps track of the drive locally by recording its hardware ID. Thus even if <span style="font-family: 'courier new', courier;">desktop.in</span> is removed by the user from the drive, Computer B will remember that this drive can be used as a path to the outside.</p> <ul> <li>If the drive is non-removable, or can be removed without any sign of having been connected to an Internet-connected machine, Win32/USBStealer executes an automatic exfiltration procedure (in opposition to the manual procedure we will describe later).</li> </ul> <p>The purpose of this step is to group interesting files from all these drives in the same local directory. The actual exfiltration will happen the next time the “marked” removable drive gets inserted into Computer B. "Interesting files" are here defined as:</p> <ul> <li>Files whose extension is “.<span style="font-family: 'courier new', courier;">skr</span>”,“.<span style="font-family: 'courier new', courier;">pkr</span>” or “.<span style="font-family: 'courier new', courier;">key</span>”. The first two correspond to the default extensions for the “keyrings” of the PGP Desktop cryptographic application. These files are storage for private and public keys respectively. The “.key” extension is often used by cryptographic tools for files storing generated keys.</li> </ul> <ul> <li>Files whose name belongs to a hardcoded list. We have observed two different lists in the wild, described in the table array below.</li> </ul> <p><table> <thead> <tr> <th>*</th> <th>List 1</th> <th>List 2</th> </tr> </thead> <tbody> <tr> <td>Possible period of use</td> <td>2005</td> <td>2011-2014</td> </tr> <tr> <td>File names searched for</td> <td>Win32Negah.dll<br /> Ssers.dat<br /> Settings.dat<br /> Negah2.exe<br /> DtInt.dat<br /> Audit.dat</td> <td>key.in<br /> key.out<br /> z_box.exe<br /> talgar.exe</td> </tr> </tbody> </table></p> <p style="padding-left: 30px;">The possible period of use corresponds to the compilation timestamps of the files containing these lists.</p> <p style="padding-left: 30px;">We found very few references for most of these file names on Internet, probably because they belong to private software. Interestingly, Talgar (from “<span style="font-family: 'courier new', courier;">talgar.exe</span>”) is a town in the Almaty Province of southeastern Kazakhstan.</p> <p style="padding-left: 30px;">The malware searches for these files everywhere on the machine, except in folders matching the following antivirus names: Symantec, Norton, McAfee, ESET Smart Security, AVG9, Kaspersky Lab and Doctor Web.</p> <h1>Step 3: Second insertion in Computer A</h1> <p>The malware operators collect the computer name that has been registered by Computer B from the drive. As the dropper running on Computer A does not implement anything more than we previously described, the operators should have another malicious component running on Computer A in order to achieve that step.</p> <p>Then, the operators drop commands for Computer B onto the removable drive, in an encrypted file named “<span style="font-family: 'courier new', courier;">COMPUTER_NAME.in</span>”.</p> <h1>Step 4: Second insertion in Computer B</h1> <p>When the removable drive comes back in Computer B, Win32/USBStealer drops onto it the files grouped during the automatic exfiltration procedure described in step 2, above. The next time the removable drive gets connected to Computer A, the operators will be able to grab these “air-gapped” files.</p> <p>Win32/USBStealer then decrypts the command files dropped by the operators for Computer B. It gives a series of commands that will be executed consecutively. Each command is a two-byte number followed by parameter.</p> <p><table> <thead> <tr> <th>Command Number</th> <th>Parameter</th> <th>Purpose</th> </tr> </thead> <tbody> <tr> <td>0x0001</td> <td>Windows path</td> <td>Copies files matching the path to the removable drive</td> </tr> <tr> <td>0x0002</td> <td>Root = Path = Day</td> <td>Copies files whose path matches “Root \Path*” to the removable drive, but only if they have been modified less than Day days ago</td> </tr> <tr> <td>0x0003</td> <td>Root = Path = Day</td> <td>Same as command 0x0002, but the parameter is also written in the startup monitoring file (see paragraph below)</td> </tr> <tr> <td>0x0004</td> <td>Should be set to “!”</td> <td>Launch the automatic exfiltration function (see step 2) on all connected drives</td> </tr> <tr> <td>0x0005</td> <td>None</td> <td>Removes startup monitoring file (see paragraph below)</td> </tr> <tr> <td>0x0006</td> <td>Windows path</td> <td>Executes a copy of the file pointed by the parameter under the name “taskrel.exe”</td> </tr> <tr> <td>0x0007</td> <td>None</td> <td>Removes file named “taskrel.exe”</td> </tr> <tr> <td>0x0008</td> <td>Root = Path = Day</td> <td>Writes filenames matching “Root \Path*” to the removable drive, but only if they have been modified less than Day days ago, in a file named “inres.in”</td> </tr> <tr> <td>0x0009</td> <td>None</td> <td>Removes file named “inres.in”</td> </tr> </tbody> </table></p> <p>Commands 0x0003 and 0x0005 refer to the startup monitoring file, which is a file stored locally on Computer B containing file patterns in the format “Root = Path = Day”. Each time the machine boots up, command 0x0002 will be executed on these patterns. This allows long-term monitoring for files of interest.</p> <p>Command 0x0008 serves as a means of discovering possibly interesting files. We can speculate that operators start with command 0x0008, and then run commands 0x0002 or 0x0003 to collect files of possible interest.</p> <p>For all commands that copy files to removable drives there is a fallback mechanism. In case the copy fails, for example because write access to the drive is not granted, the files will be grouped in a local directory instead. They will be copied onto the next Internet-capable drive that gets connected to the machine.</p> <h1>Conclusion</h1> <p>Win32/USBStealer shows the high level of determination of its operators, the Sednit group. Here are some surprising things discovered during the investigation:</p> <ul> <li><strong>Almost 10 years of operation:</strong> The earliest compilation date we found for the Win32/USBStealer payload is May 2005, as shown in the Figure below. As the compiler version that produced this particular binary is consistent with the compilation date, and since other Win32/USBStealer payloads have realistic compilation timestamps (dating from the past few years), we believe this represents the actual date of operation for this program.</li> </ul> <p><a href="https://web-assets.esetstatic.com/wls/2014/11/Figure_3_2005binary.png"><img class="aligncenter size-full wp-image-53972" src="https://web-assets.esetstatic.com/wls/2014/11/Figure_3_2005binary.png" alt="Figure_3_2005binary" width="560" height="176" /></a></p> <ul> <li><strong>Precise targeting:</strong> The names of the searched files by the automatic extraction procedure indicate very precise knowledge of the targets.</li> </ul> <p>Some open questions remain; for example it is currently unclear how the initial infection occurred. We can speculate that the classic spear-phishing technique has been used. It should be noted that the recent FireEye report on this group reports a spear phishing campaign using the topic “USB Disk Security is the best software to block threats that can damage your PC or compromise your personal information via USB storage.”</p> <p>In the attack scenario we described, Computer A has to be already controlled by the miscreants. The Win32/USBStealer dropper does not have the ability to communicate over Internet, so we can speculate there are other malicious components running on this machine.</p> <h1>Indicators of Compromise (IOC)</h1> <h2>Dropper</h2> <ul> <li>Registers service named "USB Disk Security" with the description "Provide protection against threats via USB drive".</li> <li>Alternatively, registers itself under the “<span style="font-family: 'courier new', courier;">HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Run</span>” registry key, under the name “USB Disk Security”</li> <li>Opens mutex named “ZXCVMutexHello”</li> <li>Resources of type “X”: <ul> <li>ID=109 for the payload</li> <li>ID=106 for the <span style="font-family: 'courier new', courier;">AUTORUN.INF</span> file</li> </ul> </li> </ul> <h2>Payload</h2> <ul> <li>Registers service named "USBGuard" with the description " Protects removable media from becoming infected with malware".</li> <li>Alternatively, registers itself under the “<span style="font-family: 'courier new', courier;">HKEY_CURRENT_USER Software\Microsoft\Windows\CurrentVersion\Run</span>” registry key, under the name “USBGuard”</li> <li>Opens mutex named “USB_Flash”</li> </ul> <h2><span lang="EN-US">Hashes</span></h2> <p><table> <thead> <tr> <th>SHA1</th> <th>Purpose</th> <th>ESET Detection Name</th> </tr> </thead> <tbody> <tr> <td>BB63211E4D47344514A8C79CC8C310352268E731</td> <td>Dropper<br /> (USBSRService.exe)</td> <td>Win32/USBStealer.D</td> </tr> <tr> <td>776C04A10BDEEC9C10F51632A589E2C52AABDF48</td> <td>Payload<br /> (USBGuard.exe)</td> <td>Win32/USBStealer.A</td> </tr> </tbody> </table></p> </div> <div class="article-subscribe-form mb-4"> <hr /> <div class="form-wrapper"> <div class="overlay"> <h2 class="title"> Let us keep you <br class='d-md-none'>up to date </h2> <p class="subtitle"> Sign up for our newsletters </p> <div class="form"> <form action="https://enjoy.eset.com/pub/rf" class="basic-searchform col-md-12 col-sm-12 col-xs-12 no-padding newsletter px-0" target="_blank" method="post" role="search"> <div class="search-input clearfix"> <input type="text" name="EMAIL_ADDRESS_" value="" placeholder="Your Email Address" required> <input type="checkbox" id="TOPIC" name="TOPIC" value="We Live Security Ukraine Newsletter"> <label for="TOPIC">Ukraine Crisis newsletter</label> <input type="checkbox" id="NEWSLETTER" name="NEWSLETTER" value="We Live Security"> <label for="NEWSLETTER">Regular weekly newsletter</label> <input type="hidden" name="_ri_" value="X0Gzc2X%3DAQpglLjHJlTQGgXv4jDGEK4KW2uhw0qgUzfwuivmOJOPCgzgo9vsI3VwjpnpgHlpgneHmgJoXX0Gzc2X%3DAQpglLjHJlTQGzbD6yU2pAgzaJM16bkTA7tOwuivmOJOPCgzgo9vsI3"> <input type="hidden" name="_ei_" value="Ep2VKa8UKNIAPP_2GAEW0bY"> <input type="hidden" name="_di_" value="m0a5n0j02duo9clmm4btuu5av8rdtvqfqd03v1hallrvcob47ad0"> <input type="hidden" name="EMAIL_PERMISSION_STATUS_" value="0"> <input type="hidden" name="CONTACT_SOURCE_MOST_RECENT" value="WLS_Subscribe_Form"> <button type="submit" class="redirect-button primary">Subscribe</button> </div> </form> </div> </div> <svg class="wave-overlay" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 600 201.7451"><g><path class="cls-1" d="m600,0v176.576c0,13.8934-11.2757,25.1691-25.1691,25.1691H25.1691c-13.9034,0-25.1691-11.2757-25.1691-25.1691v-110.6331c36.0722,38.8207,82.2223,71.8325,145.2255,88.6052.0402,0,.0805.0101.1107.0301,0,0,.0906,0,.1107.0302,108.7605,28.9444,198.3321-8.95,271.9366-49.865l29.5585-16.9537L600,0Z" /></g></svg></div> </div> <div class="d-block"> <div class="post-related-articles"> <h4 class="articles-title-divider py-4 my-2"> Related Articles </h4> <div class="articles-card-grid row g-0 pb-2 pb-md-3"><div class="col-12 col-sm-12 col-md-6 col-lg-4 article"><div class="card-divider"><hr class="articles-card-divider px-0 m-0" /></div><div class="article-card"><a href="/en/malware/in-plain-sight-malicious-ads-hiding-in-search-results/" title="In plain sight: Malicious ads hiding in search results"><div class="row g-0 row-cols-1"><div class="article-list-card-header col"><div class="row g-0"><div class="col-9 d-md-none pe-3"><div class="article-list-card-title"><p class="category text-uppercase">Malware</p><p class="title">In plain sight: Malicious ads hiding in search results</p></div></div><div class="col-3 col-md-12"><picture><source srcset="https://web-assets.esetstatic.com/tn/-x82/wls/2024/9-2024/malvertising.jpeg" media="(max-width: 768px)" /><img class="article-list-image small-card mt-1 mt-md-0 w-100" src="https://web-assets.esetstatic.com/tn/-x145/wls/2024/9-2024/malvertising.jpeg" alt="In plain sight: Malicious ads hiding in search results" loading="lazy" /></picture></div></div></div><div class="article-list-card-body col ps-0"><div class="d-none d-md-block pb-1"><div class="article-list-card-title"><p class="category text-uppercase">Malware</p><p class="title">In plain sight: Malicious ads hiding in search results</p></div></div><div><div class="article-title-info"><p><b></b></p></div></div></div></div></a></div></div><div class="col-12 col-sm-12 col-md-6 col-lg-4 article"><div class="card-divider"><hr class="articles-card-divider px-0 m-0" /></div><div class="article-card"><a href="/en/malware/malware-hiding-in-pictures-more-likely-than-you-think/" title="Malware hiding in pictures? More likely than you think"><div class="row g-0 row-cols-1"><div class="article-list-card-header col"><div class="row g-0"><div class="col-9 d-md-none pe-3"><div class="article-list-card-title"><p class="category text-uppercase">Malware, Digital Security</p><p class="title">Malware hiding in pictures? More likely than you think</p></div></div><div class="col-3 col-md-12"><picture><source srcset="https://web-assets.esetstatic.com/tn/-x82/wls/2024/3-2024/mlwr-imgs-wls-1920x1080.jpeg" media="(max-width: 768px)" /><img class="article-list-image small-card mt-1 mt-md-0 w-100" src="https://web-assets.esetstatic.com/tn/-x145/wls/2024/3-2024/mlwr-imgs-wls-1920x1080.jpeg" alt="Malware hiding in pictures? More likely than you think" loading="lazy" /></picture></div></div></div><div class="article-list-card-body col ps-0"><div class="d-none d-md-block pb-1"><div class="article-list-card-title"><p class="category text-uppercase">Malware, Digital Security</p><p class="title">Malware hiding in pictures? More likely than you think</p></div></div><div><div class="article-title-info"><p><b></b></p></div></div></div></div></a></div></div><div class="col-12 col-sm-12 col-md-6 col-lg-4 article"><div class="card-divider"><hr class="articles-card-divider px-0 m-0" /></div><div class="article-card"><a href="/en/critical-infrastructure/black-hat-2023-cyberwar-fire-and-forget-me-not/" title="Black Hat 2023: Cyberwar fire-and-forget-me-not"><div class="row g-0 row-cols-1"><div class="article-list-card-header col"><div class="row g-0"><div class="col-9 d-md-none pe-3"><div class="article-list-card-title"><p class="category text-uppercase">Critical Infrastructure, Malware</p><p class="title">Black Hat 2023: Cyberwar fire-and-forget-me-not</p></div></div><div class="col-3 col-md-12"><picture><source srcset="https://web-assets.esetstatic.com/tn/-x82/wls/2023/2023-8/blackhat-1-1920x1080.jpeg" media="(max-width: 768px)" /><img class="article-list-image small-card mt-1 mt-md-0 w-100" src="https://web-assets.esetstatic.com/tn/-x145/wls/2023/2023-8/blackhat-1-1920x1080.jpeg" alt="Black Hat 2023: Cyberwar fire-and-forget-me-not" loading="lazy" /></picture></div></div></div><div class="article-list-card-body col ps-0"><div class="d-none d-md-block pb-1"><div class="article-list-card-title"><p class="category text-uppercase">Critical Infrastructure, Malware</p><p class="title">Black Hat 2023: Cyberwar fire-and-forget-me-not</p></div></div><div><div class="article-title-info"><p><b></b></p></div></div></div></div></a></div></div></div></div> </div> </div> <div class="sidebar col col-lg-4 ps-5 d-none d-lg-block position-sticky"> <div class="sticky-top sticky-top--container"> <div class="pb-4"> <div class="share-article-card"> <div class="sidebar-card-media"> <div class="mb-3"> <h3 class="articles-title-divider">Share Article</h3> </div> <div class="medias"> <a href="https://www.facebook.com/sharer/sharer.php?u&#x3D;https://www.welivesecurity.com/2014/11/11/sednit-espionage-group-attacking-air-gapped-networks/" title="Facebook" > <svg id="Layer_2" fill="#949ca1" class="facebook" xmlns="http://www.w3.org/2000/svg" width="35" height="35" viewBox="0 0 50 50"><g id="Layer_2-2"><circle cx="25" cy="25" r="25" /><path fill="white"d="m30.9623,26.8125l.8054-5.2483h-5.0359v-3.4058c0-1.4358.7035-2.8354,2.9589-2.8354h2.2894v-4.4684s-2.0776-.3546-4.064-.3546c-4.1472,0-6.858,2.5137-6.858,7.0642v4h-4.61v5.2483h4.61v12.6875h5.6737v-12.6875h4.2305Z" /></g></svg> </a> <a href="https://www.linkedin.com/shareArticle?mini&#x3D;true&amp;url&#x3D;https://www.welivesecurity.com/2014/11/11/sednit-espionage-group-attacking-air-gapped-networks/" title="LinkedIn" > <svg id="Layer_2" fill="#949ca1" class="linkedin" xmlns="http://www.w3.org/2000/svg" width="35" height="35" viewBox="0 0 50 50"><g id="Layer_2-2"><circle cx="25" cy="25" r="25" /><path fill="white"d="m18.7686,35.9995h-4.9757v-16.0232h4.9757v16.0232Zm-2.4905-18.2089c-1.5911,0-2.8816-1.3179-2.8816-2.9089.0002-1.5915,1.2906-2.8814,2.882-2.8812,1.5911.0002,2.881,1.29,2.8812,2.8812,0,1.5911-1.2911,2.9089-2.8816,2.9089Zm21.113,18.2089h-4.965v-7.8c0-1.8589-.0375-4.2429-2.587-4.2429-2.587,0-2.9834,2.0196-2.9834,4.1089v7.9339h-4.9704v-16.0232h4.7721v2.1857h.0696c.6643-1.2589,2.287-2.5875,4.7079-2.5875,5.0357,0,5.9614,3.3161,5.9614,7.6232v8.8018h-.0054Z" /></g></svg> </a> <a href="https://twitter.com/intent/tweet?url&#x3D;https://www.welivesecurity.com/2014/11/11/sednit-espionage-group-attacking-air-gapped-networks/" title="Twitter" > <svg id="Layer_2" fill="#949ca1" class="twitter" xmlns="http://www.w3.org/2000/svg" width="35" height="35" viewBox="0 0 50 50"><g id="Layer_2-2"><circle cx="25" cy="25" r="25" /><g id="twitter"><g id="Layer_2-3"><g id="Research_icons"><path id="twitter-2" fill="white"d="m36.0847,16.9564c1.1786-.1395,2.3298-.4543,3.4153-.934-.7998,1.1935-1.8049,2.2357-2.9686,3.0783v.7675c0,7.8581-5.9779,16.9184-16.9184,16.9184-3.2314.004-6.3954-.9238-9.113-2.6722.4703.0571.9436.0856,1.4173.0853,2.6784.0044,5.2803-.8925,7.3871-2.5463-2.5446-.0467-4.7777-1.7068-5.5555-4.1301.3681.0703.742.1056,1.1168.1056.5293,0,1.0564-.0696,1.5676-.2071-2.775-.5608-4.7696-3.0006-4.7677-5.8317v-.0731c.826.4573,1.7488.712,2.6925.7432-2.6116-1.7476-3.4122-5.2258-1.8275-7.9394,3.0149,3.7157,7.4653,5.9771,12.2441,6.2215-.7617-3.1963,1.2119-6.4049,4.4082-7.1666,2.0894-.4979,4.285.1691,5.7444,1.7451,1.3319-.2639,2.6091-.7528,3.7768-1.4457-.4477,1.3745-1.3782,2.5402-2.6194,3.2813Z" /></g></g></g></g></svg> </a> <a href="mailto:?&amp;subject&#x3D;I wanted you to see this site&amp;body&#x3D;https://www.welivesecurity.com/2014/11/11/sednit-espionage-group-attacking-air-gapped-networks/" title="mail" > <svg id="Layer_2" fill="#949ca1" class="social-icon" xmlns="http://www.w3.org/2000/svg" width="35" height="35" viewBox="0 0 50 50"><g id="Layer_2-2"><circle cx="25" cy="25" r="25" /><path id="Path_7761" fill="white"d="m13.1593,14.9378c-.2808,0-.5616.0936-.8424.1872l11.8875,11.5131c.3744.468,1.0296.468,1.404.0936.0936,0,.0936-.0936.0936-.0936l12.0747-11.5131c-.2808-.0936-.5616-.1872-.7488-.1872H13.1593Zm-2.1529,1.9656v15.8188c-.0936,1.2168.8424,2.2465,2.0593,2.3401h23.8686c1.2168-.0936,2.1529-1.1232,2.0593-2.3401v-15.7252l-11.7939,11.3259c-1.2168,1.2168-3.1825,1.2168-4.3057,0l-11.8875-11.4195Z" /></g></svg> </a> <a href="https://www.welivesecurity.com/2014/11/11/sednit-espionage-group-attacking-air-gapped-networks/" title="copy" class="copy-link" > <svg id="Layer_2" fill="#949ca1" class="social-icon" xmlns="http://www.w3.org/2000/svg" width="35" height="35" viewBox="0 0 50 50"><g id="Layer_2-2"><circle cx="25" cy="25" r="25" /><path fill="white"d="m32.2813,27.4375l3.7-3.7c2.7-2.7,2.7-7,0-9.7-2.7-2.7-7-2.7-9.7,0h0l-5.3,5.3c-2.7,2.7-2.7,7,0,9.7.4.4.8.7,1.3,1l2.8-2.8c-.6-.1-1.1-.4-1.5-.8-1.2-1.2-1.2-3.2,0-4.4l5.3-5.3c1.3-1.2,3.2-1.1,4.4.1,1.1,1.2,1.1,3.1,0,4.3l-1.6,1.6c.7,1.4.9,3.1.6,4.7h0Zm-14.7-4.7l-3.6,3.6c-2.7,2.7-2.6,7,0,9.7,2.7,2.6,6.9,2.6,9.6,0l5.3-5.3c2.7-2.7,2.7-7,0-9.7-.4-.4-.8-.7-1.3-1l-2.8,2.8c1.7.4,2.7,2.1,2.3,3.7-.1.6-.4,1.1-.8,1.5l-5.3,5.4c-1.2,1.3-3.1,1.3-4.4.1-1.3-1.2-1.3-3.1-.1-4.4,0-.1.1-.1.1-.1l1.6-1.5c-.7-1.6-.9-3.2-.6-4.8h0Z" /></g></svg> </a> </div> </div> </div> </div> <div class="pb-4"> <a class="d-block sidebar-card-banner" href="https://www.welivesecurity.com/en/eset-research/eset-apt-activity-report-q2-2024-q3-2024/" title="Apt Activity Report" target="_blank"> <img src="https://www.welivesecurity.com/build/assets/eset-apt-activity-report-q2-2024-q3-2024-d75a59c4.webp" alt="Apt Activity Report" class="w-100" > </a> </div> </div> </div> </div> <div class="row"> <div class="col col-lg-8 pe-lg-0"> <div class="my-4"> <h3 class="articles-title-divider">Discussion</h3> </div> <div id="disqus_thread"></div> </div> </div> </div> </div> <!-- footer --> <footer class="page-footer"> <div class="container"> <div class="row g-0"> <div class="col page-info-wrapper"> <div class="logo-wrapper"> <div class="logo"> <a href="/en/" title="Welivesecurity"> <?xml version="1.0" encoding="UTF-8"?><svg id="Layer_2" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 290 31.7919"><defs><style>.cls-1{fill:#0b8690;}.cls-2{fill:#053b44;}</style></defs><g id="Layer_1-2"><g><path class="cls-2" d="M0,8.6081H5.1069l2.869,10.7299,3.3282-10.845h4.3616l3.3833,10.845,2.9261-10.7879h4.9947l-5.51,17.8465h-4.5336l-3.3833-10.903-3.5012,10.903H5.451L0,8.6081Zm26.6257,9.0093h0c0-5.1069,3.6153-9.2964,8.7792-9.2964,5.9102,0,8.6651,4.5907,8.6651,9.6405,0,.4021-.057,.8603-.057,1.3195h-12.3955c.3233,2.123,2.219,3.6443,4.3616,3.5003,1.6303,.0269,3.1951-.6409,4.3036-1.8367l2.8729,2.5259c-1.7441,2.1958-4.4284,3.4313-7.2306,3.3282-4.9064,.227-9.0678-3.5664-9.2947-8.4728-.0109-.236-.0124-.4724-.0045-.7085Zm12.5095-1.4916c-.29-2.2378-1.6066-3.7874-3.7303-3.7874s-3.4432,1.4916-3.8444,3.7874h7.5747Zm57.842,7.9179l2.1266-3.3282c1.5999,1.2513,3.5393,1.9923,5.566,2.1267,1.4345,0,2.1266-.5162,2.1266-1.3195v-.057c0-1.0904-1.7216-1.4345-3.6733-2.0658-2.4679-.7463-5.2789-1.8937-5.2789-5.3369v-.057c0-3.6153,2.9261-5.6231,6.4843-5.6231,2.3553,.0234,4.6511,.742,6.5994,2.0658l-1.8937,3.5003c-1.4459-.9422-3.1015-1.5139-4.8207-1.6646-1.2054,0-1.8366,.5162-1.8366,1.2054v.057c0,.9754,1.6646,1.4345,3.6153,2.1267,2.4679,.8033,5.3369,2.0087,5.3369,5.2789v.057c0,3.9633-2.9261,5.7381-6.7666,5.7381-2.7543-.0573-5.4158-1.006-7.5854-2.7037Zm15.4356-6.4264h0c0-5.1069,3.6153-9.2964,8.7792-9.2964,5.9102,0,8.6651,4.5907,8.6651,9.6405,0,.4021-.057,.8603-.057,1.3195h-12.3375c.3233,2.123,2.219,3.6443,4.3616,3.5003,1.6303,.0269,3.1951-.6409,4.3036-1.8367l2.869,2.5249c-1.744,2.1959-4.4283,3.4315-7.2306,3.3282-5.3901,.001-9.3534-3.7835-9.3534-9.1804Zm12.5095-1.4916c-.29-2.2378-1.6066-3.7874-3.7303-3.7874s-3.4432,1.4916-3.8444,3.7874h7.5747Zm6.1412,1.4906h0c-.0992-5.0349,3.9019-9.197,8.9368-9.2964h.3596c2.6878-.1539,5.2947,.9485,7.0566,2.9841l-3.0991,3.3282c-.9721-1.2277-2.4505-1.9458-4.0165-1.9507-2.5249,0-4.3036,2.2378-4.3036,4.8198v.057c0,2.697,1.7787,4.8778,4.4756,4.8778,1.5606-.0446,3.0342-.7295,4.0745-1.8937l2.9261,2.9841c-1.7686,2.1577-4.4423,3.3673-7.2306,3.2712-5.0035,.0682-9.115-3.9326-9.1832-8.9361,0-.0009,0-.0017,0-.0026,.0026-.0806,.0038-.1614,.0039-.2426Zm17.9606,2.5249V8.6642h5.0498v9.8706c0,2.4099,1.1474,3.6153,3.0411,3.6153s3.1562-1.2054,3.1562-3.6153V8.6071h5.0498V26.3386h-5.0498v-2.5249c-1.1459,1.7743-3.1079,2.8527-5.22,2.869-3.7893,.001-6.0271-2.4669-6.0271-6.5414Zm18.4767-11.5342h5.0498v3.5573c1.0324-2.4679,2.697-4.0165,5.6811-3.9024v5.2789h-.29c-3.3282,0-5.3939,2.0087-5.3939,6.2543v6.5414h-5.047V8.6071Zm12.5666,0h5.0498V26.3386h-5.0498V8.6071Zm8.9561,12.7396V12.9117h-2.1267v-4.3036h2.1267V4.0745h5.0498v4.5336h4.1885v4.3036h-4.1924v7.5747c0,1.1474,.5162,1.7216,1.6066,1.7216,.8637,.0094,1.7148-.2083,2.4679-.6312v4.0165c-1.1964,.7132-2.571,1.0716-3.9633,1.0334-3.0952,.057-5.1571-1.2054-5.1571-5.2799Zm11.4153,9.1813l1.6646-3.6153c.6415,.4009,1.372,.6373,2.1267,.6883,.7821,.0558,1.5071-.4118,1.7787-1.1474l-6.9474-17.7885h5.3369l4.0165,12.1074,3.8444-12.1074h5.22l-6.7666,18.1326c-1.3775,3.6153-2.812,4.9928-5.8531,4.9928-1.5664,.0294-3.1059-.4102-4.4205-1.2625ZM182.4783,1.3195c1.3945,0,2.5249,1.1304,2.5249,2.5249s-1.1304,2.5249-2.5249,2.5249-2.5249-1.1304-2.5249-2.5249,1.1304-2.5249,2.5249-2.5249Zm38.8471,2.754v2.1267h-.6312v-2.1267h-.8603v-.5162h2.3528v.4592h-.8603l-.0009,.057Zm4.0755,2.1238v-1.7796l-.8033,1.7787h-.6312l-.7463-1.7787,.057,.3441v1.3775h-.5732V3.5573h.7463l.8603,2.0658,.9753-2.0658h.6883v2.6399h-.5732Z" /><path class="cls-1" d="M46.2508,2.2378h5.0498V26.3956h-5.0498V2.2378Zm7.9189,6.3693h5.0498V26.3386h-5.0498V8.6071Zm6.5414,0h5.3369l3.9633,11.8783,4.0126-11.8783h5.22l-7.0005,17.8465h-4.5907l-6.9416-17.8465Zm17.9035,9.0102h0c0-5.1069,3.6153-9.2964,8.7792-9.2964,5.9102,0,8.6651,4.5907,8.6651,9.6405,0,.4021-.057,.8603-.057,1.3195h-12.3375c.3232,2.1226,2.2184,3.6438,4.3606,3.5003,1.6303,.0269,3.1951-.6409,4.3036-1.8367l2.869,2.5249c-1.744,2.1959-4.4283,3.4315-7.2306,3.3282-5.3891,.001-9.3524-3.7835-9.3524-9.1804Zm12.5095-1.4916c-.29-2.2378-1.6066-3.7874-3.7294-3.7874s-3.4432,1.4916-3.8444,3.7874h7.5738ZM56.6366,0c-1.7746,0-3.2132,1.4386-3.2132,3.2132,0,1.7746,1.4386,3.2132,3.2132,3.2132,1.7746,0,3.2132-1.4386,3.2132-3.2132h0c-.0188-1.7667-1.4464-3.1943-3.2132-3.2132Zm0,4.5907c-.7567-.0094-1.3677-.6208-1.3765-1.3775-.0202-.7605,.58-1.3933,1.3405-1.4135,.7605-.0202,1.3933,.58,1.4135,1.3405,.0006,.0243,.0006,.0487,0,.073-.0089,.7571-.6204,1.3686-1.3775,1.3775Zm191.3425,4.0213c-2.2021-.0287-4.2611,1.0885-5.4375,2.9502-.9299,1.6095-1.1339,4.233-1.1339,5.9711s.2049,4.3596,1.1339,5.9691c1.1767,1.8615,3.2355,2.9785,5.4375,2.9502h34.4972c2.2018,.0283,4.2603-1.0888,5.4365-2.9502,.928-1.6095,1.1349-4.233,1.1349-5.9711s-.2069-4.3567-1.1349-5.9662c-1.1762-1.8615-3.2347-2.9786-5.4365-2.9502l-34.4972-.0029Zm22.9572,7.9392h2.9v-.0899c0-1.3272-.5326-1.4268-1.4896-1.4268-1.16,0-1.3794,.377-1.4133,1.5167m-20.3859-1.4297c.9512,0,1.4635,.0967,1.4635,1.3997v.0628h-2.8487c.0319-1.1165,.2591-1.4626,1.3852-1.4626m-4.0233,2.463c0,3.1262,.783,4.2533,4.0745,4.2533,1.0071,.0751,2.0175-.0927,2.9464-.4891,.7808-.4894,1.2122-1.3829,1.1097-2.2987h-2.5965c-.0271,.8903-.6322,.9821-1.4626,.9821-1.1996,0-1.4336-.4833-1.4336-1.9788v-.0638h5.4887v-.405c0-3.4123-.9231-4.2668-4.06-4.2668-3.3553,0-4.0745,1.044-4.0745,4.2668m9.8793-1.5621c0,1.6665,.5742,2.4476,4.0735,2.4476,.3744-.0275,.7508,.0097,1.1126,.1102,.2736,.1199,.4021,.3586,.4021,.7927,0,.726-.2658,.8043-1.5128,.8043-.6931,0-1.3987-.0155-1.4307-.9502h-2.6438c.0203,1.8425,.8932,2.4447,2.5085,2.5732,.4882,.0377,1.0188,.0348,1.565,.0348,2.2233,0,4.0735-.3712,4.0735-2.7849,0-2.2997-1.1996-2.463-4.0745-2.5288-1.4268-.0319-1.5109-.3316-1.5109-.8043,0-.5616,.0619-.7405,1.5119-.7405,.5317,0,1.0633,.0474,1.1822,.7086h2.4882v-.3393c0-2.001-2.0967-2.03-3.6733-2.03-2.3625,0-4.0735,.0532-4.0735,2.7066m21.6744-2.7066h6.5018v1.9005h-1.9333v6.525h-2.6274v-6.524h-1.9333l-.0077-1.9014Zm-9.7275,4.2059c0-3.2122,.7086-4.2398,4.0464-4.2398,3.1194,0,4.031,.842,4.031,4.2398v.376h-5.4896v.0909c0,1.4945,.2359,2.0058,1.4587,2.0058,.8226,0,1.45-.0909,1.4896-.9821h2.5413c.0948,.8946-.3269,1.7653-1.0875,2.2456-.9243,.3931-1.9294,.5588-2.9309,.4833-3.276,0-4.0464-1.1088-4.0464-4.2224m-23.7624,5.7874c-1.3214-1.421-1.6134-3.652-1.6134-5.7739s.29-4.35,1.6134-5.7758c1.0333-.9868,2.3994-1.5498,3.828-1.5776h17.7865v14.7048h-17.7865c-1.4285-.0278-2.7946-.5908-3.828-1.5776m43.7423-16.12c.0004-.036-.009-.0714-.0271-.1025-.0116-.0387-.0445-.0628-.086-.0899-.0385-.0194-.0807-.0303-.1237-.0319-.0559-.0087-.1126-.0123-.1692-.0106h-.1508v.5394h.115c.0678,.0013,.1357-.0022,.203-.0106,.0495-.0114,.0968-.0307,.1402-.057,.0317-.0265,.0574-.0594,.0754-.0967,.016-.0456,.0235-.0938,.0222-.1421m.8226,1.3533h-.61l-.5742-.7086h-.1933v.7066h-.4679v-1.913h.7269c.1085-.0031,.2172,.0024,.3248,.0164,.0855,.0088,.1681,.0355,.2426,.0783,.0789,.0405,.1456,.1012,.1933,.1759,.0425,.0819,.0625,.1737,.058,.2658,.0044,.1242-.0384,.2454-.1199,.3393-.0832,.0952-.1884,.1685-.3064,.2136l.7259,.8255Zm.4186-.9203c.0053-.4029-.1547-.7903-.4427-1.072-.2749-.2868-.6574-.4452-1.0546-.4369-.3998-.0086-.7851,.1497-1.0633,.4369-.5856,.5955-.5856,1.5505,0,2.146,.5715,.5851,1.5091,.5962,2.0942,.0247,.0083-.0081,.0166-.0164,.0247-.0247,.289-.2818,.4492-.6703,.4427-1.074m.4253,0c.0069,.5131-.1972,1.0066-.5645,1.3649-.7536,.747-1.9685,.747-2.7221,0-.3705-.3563-.5758-.851-.5665-1.3649-.0083-.5104,.1971-1.001,.5665-1.3533,.7441-.75,1.955-.7561,2.7066-.0135l.0135,.0135c.3662,.3543,.5704,.8438,.5645,1.3533m-64.0238,6.7637h2.1044c1.5563,0,2.32,.6206,2.32,1.74,.0109,.539-.2936,1.0349-.7791,1.2692v.0242c.7243,.1716,1.2395,.8131,1.2509,1.5573,0,1.16-.6767,1.9652-2.5133,1.9652h-2.3828v-6.5559Zm2.0483,2.7588c.7414,0,1.1126-.2591,1.1126-.8893,0-.6767-.4456-.899-1.2799-.899h-.6109v1.7883h.7782Zm.2127,2.7898c.87,0,1.362-.2223,1.362-.9261s-.5007-.9667-1.4829-.9667h-.87v1.8908l.9908,.0019Zm4.9406-1.248l-2.32-4.3007h1.4548l1.5418,3.2267,1.6433-3.2248h1.4084l-2.4659,4.2726v2.2775h-1.2566l-.0058-2.2514Z" /></g></g></svg> </a> </div> </div> <div class="page-info"> <p> Award-winning news, views, and insight from the ESET security community </p> </div> </div> <div class="col footer-links"> <a href="/en/company/about-us/" title="About us" >About us</a> <a href="https://www.eset.com" title="ESET" >ESET</a> <a href="/en/company/contact-us/" title="Contact us" >Contact us</a> <a href="/en/company/privacy/" title="Privacy Policy" >Privacy Policy</a> <a href="/en/company/legal-information/" title="Legal Information" >Legal Information</a> <a href="/en/#" title="Manage Cookies" id="manage-cookies" onclick="event.preventDefault()" >Manage Cookies</a> <a href="/en/rss/feed/" title="RSS Feed" >RSS Feed</a> </div> <div class="col social-networks"> <a href="https://www.facebook.com/eset/" title="Join our facebook fan site!"> <svg id="Layer_2" fill="#949ca1" class="facebook" xmlns="http://www.w3.org/2000/svg" width="35" height="35" viewBox="0 0 50 50"><g id="Layer_2-2"><circle cx="25" cy="25" r="25" /><path fill="white"d="m30.9623,26.8125l.8054-5.2483h-5.0359v-3.4058c0-1.4358.7035-2.8354,2.9589-2.8354h2.2894v-4.4684s-2.0776-.3546-4.064-.3546c-4.1472,0-6.858,2.5137-6.858,7.0642v4h-4.61v5.2483h4.61v12.6875h5.6737v-12.6875h4.2305Z" /></g></svg> </a> <a href="https://youtube.com/esetglobal" title="Watch our videos at YouTube Channel."> <svg id="Layer_2" fill="#949ca1" class="youtube" xmlns="http://www.w3.org/2000/svg" width="35" height="35" viewBox="0 0 50 50"><g id="Layer_2-2"><circle cx="25" cy="25" r="25" /><g id="Layer_1-2"><g id="youtube"><g id="SOCIAL_MEDIA"><path id="youtube-2" fill="white"d="m39.3741,17.7792c-.3492-1.2938-1.3598-2.3044-2.6536-2.6536-2.3399-.625-11.7206-.625-11.7206-.625,0,0-9.3745,0-11.7206.625-1.2941.3485-2.305,1.3594-2.6536,2.6536-.4319,2.3823-.6412,4.7997-.6249,7.2208-.0162,2.4211.193,4.8385.625,7.2208.3478,1.2946,1.359,2.3058,2.6536,2.6536,2.3399.625,11.7206.625,11.7206.625,0,0,9.3807,0,11.7206-.625,1.2942-.3485,2.3051-1.3594,2.6536-2.6536.4315-2.3824.6408-4.7997.625-7.2208.0158-2.4211-.1934-4.8384-.625-7.2208h0Zm-17.374,11.7205v-8.9994l7.7933,4.4997-7.7933,4.4997Z" /></g></g></g></g></svg> </a> <a href="https://twitter.com/ESET" title="Visit the official WLS Twitter page."> <svg id="Layer_2" fill="#949ca1" class="twitter" xmlns="http://www.w3.org/2000/svg" width="35" height="35" viewBox="0 0 50 50"><g id="Layer_2-2"><circle cx="25" cy="25" r="25" /><g id="twitter"><g id="Layer_2-3"><g id="Research_icons"><path id="twitter-2" fill="white"d="m36.0847,16.9564c1.1786-.1395,2.3298-.4543,3.4153-.934-.7998,1.1935-1.8049,2.2357-2.9686,3.0783v.7675c0,7.8581-5.9779,16.9184-16.9184,16.9184-3.2314.004-6.3954-.9238-9.113-2.6722.4703.0571.9436.0856,1.4173.0853,2.6784.0044,5.2803-.8925,7.3871-2.5463-2.5446-.0467-4.7777-1.7068-5.5555-4.1301.3681.0703.742.1056,1.1168.1056.5293,0,1.0564-.0696,1.5676-.2071-2.775-.5608-4.7696-3.0006-4.7677-5.8317v-.0731c.826.4573,1.7488.712,2.6925.7432-2.6116-1.7476-3.4122-5.2258-1.8275-7.9394,3.0149,3.7157,7.4653,5.9771,12.2441,6.2215-.7617-3.1963,1.2119-6.4049,4.4082-7.1666,2.0894-.4979,4.285.1691,5.7444,1.7451,1.3319-.2639,2.6091-.7528,3.7768-1.4457-.4477,1.3745-1.3782,2.5402-2.6194,3.2813Z" /></g></g></g></g></svg> </a> <a href="https://www.linkedin.com/company/eset" title="Follow us on LinkedIn."> <svg id="Layer_2" fill="#949ca1" class="linkedin" xmlns="http://www.w3.org/2000/svg" width="35" height="35" viewBox="0 0 50 50"><g id="Layer_2-2"><circle cx="25" cy="25" r="25" /><path fill="white"d="m18.7686,35.9995h-4.9757v-16.0232h4.9757v16.0232Zm-2.4905-18.2089c-1.5911,0-2.8816-1.3179-2.8816-2.9089.0002-1.5915,1.2906-2.8814,2.882-2.8812,1.5911.0002,2.881,1.29,2.8812,2.8812,0,1.5911-1.2911,2.9089-2.8816,2.9089Zm21.113,18.2089h-4.965v-7.8c0-1.8589-.0375-4.2429-2.587-4.2429-2.587,0-2.9834,2.0196-2.9834,4.1089v7.9339h-4.9704v-16.0232h4.7721v2.1857h.0696c.6643-1.2589,2.287-2.5875,4.7079-2.5875,5.0357,0,5.9614,3.3161,5.9614,7.6232v8.8018h-.0054Z" /></g></svg> </a> <a href="https://www.welivesecurity.com/rss-configurator/" title="Don´t miss a single post!"> <svg id="Layer_2" fill="#949ca1" class="social-icon" xmlns="http://www.w3.org/2000/svg" width="35" height="35" viewBox="0 0 50 50"><g id="Layer_2-2"><circle cx="25" cy="25" r="25" /><g id="rss"><g id="SOCIAL_MEDIA"><path id="rss-2" fill="white"d="m16.9299,36.9089c-1.8039-.0139-3.255-1.4876-3.2411-3.2915.0139-1.8039,1.4876-3.255,3.2915-3.2411,1.7931.0138,3.2398,1.4706,3.2412,3.2638-.006,1.8113-1.4791,3.2748-3.2904,3.2688-.0004,0-.0008,0-.0012,0Zm12.6168,0c-.0331-8.7521-7.1549-15.8203-15.907-15.7872h-.0014v4.6272c6.1869-.0232,11.2214,4.9731,11.2452,11.16h4.6632Zm8.0916,0c-.0503-13.2044-10.7953-23.8679-23.9997-23.8176-.0001,0-.0002,0-.0003,0v4.7628c10.5637-.0398,19.1597,8.4911,19.2,19.0548h4.8Z" /></g></g></g></svg> </a> </div> </div> <div class="row g-0"> <div class="col copyright"> Copyright © ESET, All Rights Reserved </div> </div> </div> </footer> </div> <!-- scripts --> <link rel="modulepreload" href="https://www.welivesecurity.com/build/assets/app-7a4ecde0.js" /><script type="module" src="https://www.welivesecurity.com/build/assets/app-7a4ecde0.js"></script> <link rel="modulepreload" href="https://www.welivesecurity.com/build/assets/search-7d9f58b7.js" /><link rel="modulepreload" href="https://www.welivesecurity.com/build/assets/_commonjsHelpers-042e6b4d.js" /><script type="module" src="https://www.welivesecurity.com/build/assets/search-7d9f58b7.js"></script> <script> var disqus_config = function () { this.page.url = "https://www.welivesecurity.com/2014/11/11/sednit-espionage-group-attacking-air-gapped-networks/"; this.page.identifier = "Sednit Espionage Group Attacking Air-Gapped Networks"; this.page.title = "106"; this.language = "en"; }; (function() { var d = document, s = d.createElement('script'); s.src = 'https://welivesecurity.disqus.com/embed.js'; s.setAttribute('data-timestamp', +new Date()); (d.head || d.body).appendChild(s); })(); </script> <link rel="preload" as="style" href="https://www.welivesecurity.com/build/assets/prism-40494b65.css" /><link rel="modulepreload" href="https://www.welivesecurity.com/build/assets/prism-40d1b0a4.js" /><link rel="modulepreload" href="https://www.welivesecurity.com/build/assets/_commonjsHelpers-042e6b4d.js" /><link rel="stylesheet" href="https://www.welivesecurity.com/build/assets/prism-40494b65.css" /><script type="module" src="https://www.welivesecurity.com/build/assets/prism-40d1b0a4.js"></script> <link rel="preload" as="style" href="https://www.welivesecurity.com/build/assets/article-e3625c4c.css" /><link rel="modulepreload" href="https://www.welivesecurity.com/build/assets/article-98874652.js" /><link rel="modulepreload" href="https://www.welivesecurity.com/build/assets/table-wrapper-135558d1.js" /><link rel="stylesheet" href="https://www.welivesecurity.com/build/assets/article-e3625c4c.css" /><script type="module" src="https://www.welivesecurity.com/build/assets/article-98874652.js"></script></body> </html>

Pages: 1 2 3 4 5 6 7 8 9 10