State-backed ‘GoldenJackal’ hackers deploy new tools against government entities

Researchers have uncovered previously undocumented tools used by a state sponsored hacker group against government and diplomatic entities in Europe, the Middle East and South Asia.

GoldenJackal is a little-known cyberespionage group active since at least 2019. Its targets include a South Asian embassy in Belarus and an unnamed European Union government organization, according to a report published Monday by Slovakia-based cybersecurity firm ESET. While researchers have not yet been able to attribute the group to any specific country, they suspect the hackers behind it are Russian speakers.

The custom tools used by the group are primarily designed to target air-gapped systems — computer networks that are physically isolated from unsecured networks, including the internet. Certain organizations typically air-gap their most sensitive networks, such as voting systems and industrial control systems running power grids, to minimize the risk of compromise.

The group’s attacks appear to be aimed at stealing confidential information, according to ESET, which analyzed the group’s latest campaigns.

During the attack on a South Asian embassy in Belarus in August 2019, the hackers used several custom tools, including GoldenDealer malware to deliver executables to the air-gapped system via USB monitoring, the GoldenHowl backdoor and GoldenRobo, a file collector and exfiltrator.

In an attack on a European government organization in May 2022, the group used a different custom toolset capable of collecting files from USB drives, spreading payloads across the network via USB drives, exfiltrating files and using certain computers within the network as servers to deliver various files to other systems.

In these attacks, GoldenJackal adopted a highly modular approach, researchers said, using various components to perform different tasks. 

For example, GoldenUsbCopy monitors the insertion of USB drives and copies interesting files to an encrypted container stored on disk, GoldenBlacklist downloads an encrypted archive from a local server and processes email messages contained within, keeping only those of interest, and GoldenMailer exfiltrates files by sending emails with attachments to attacker-controlled accounts.

ESET researchers were unable to determine how the hackers initially gained access to the targeted systems. However, according to a previous report by Kaspersky, GoldenJackal used trojanized software and malicious documents to breach its victims.

“Compromising an air-gapped network is much more resource-intensive than breaching an internet-connected system,” ESET researchers said.

“With the level of sophistication required, it is quite unusual that in five years, GoldenJackal managed to build and deploy not one, but two separate toolsets designed to compromise air-gapped systems,” they added.