State-backed ‘GoldenJackal’ hackers deploy new tools against government entities

Avatar

Researchers have uncovered previously undocumented tools used by a state sponsored hacker group against government and diplomatic entities in Europe, the Middle East and South Asia.

GoldenJackal is a little-known cyberespionage group active since at least 2019. Its targets include a South Asian embassy in Belarus and an unnamed European Union government organization, according to a report published Monday by Slovakia-based cybersecurity firm ESET. While researchers have not yet been able to attribute the group to any specific country, they suspect the hackers behind it are Russian speakers.

The custom tools used by the group are primarily designed to target air-gapped systems — computer networks that are physically isolated from unsecured networks, including the internet. Certain organizations typically air-gap their most sensitive networks, such as voting systems and industrial control systems running power grids, to minimize the risk of compromise.

The group’s attacks appear to be aimed at stealing confidential information, according to ESET, which analyzed the group’s latest campaigns.

During the attack on a South Asian embassy in Belarus in August 2019, the hackers used several custom tools, including GoldenDealer malware to deliver executables to the air-gapped system via USB monitoring, the GoldenHowl backdoor and GoldenRobo, a file collector and exfiltrator.

In an attack on a European government organization in May 2022, the group used a different custom toolset capable of collecting files from USB drives, spreading payloads across the network via USB drives, exfiltrating files and using certain computers within the network as servers to deliver various files to other systems.

In these attacks, GoldenJackal adopted a highly modular approach, researchers said, using various components to perform different tasks. 

For example, GoldenUsbCopy monitors the insertion of USB drives and copies interesting files to an encrypted container stored on disk, GoldenBlacklist downloads an encrypted archive from a local server and processes email messages contained within, keeping only those of interest, and GoldenMailer exfiltrates files by sending emails with attachments to attacker-controlled accounts.

ESET researchers were unable to determine how the hackers initially gained access to the targeted systems. However, according to a previous report by Kaspersky, GoldenJackal used trojanized software and malicious documents to breach its victims.

“Compromising an air-gapped network is much more resource-intensive than breaching an internet-connected system,” ESET researchers said.

“With the level of sophistication required, it is quite unusual that in five years, GoldenJackal managed to build and deploy not one, but two separate toolsets designed to compromise air-gapped systems,” they added.

CybercrimeGovernmentNation-stateNews
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.

 

Total
0
Shares
Previous Post

MoneyGram says customer information stolen during September attack

Next Post

Ukraine’s defense ministry launches military CERT to counter Russian cyberattacks

Related Posts

INTERPOL Arrests 8 in Major Phishing and Romance Fraud Crackdown in West Africa

INTERPOL has announced the arrest of eight individuals in Côte d'Ivoire and Nigeria as part of a crackdown on phishing scams and romance cyber fraud. Dubbed Operation Contender 2.0, the initiative is designed to tackle cyber-enabled crimes in West Africa, the agency said. One such threat involved a large-scale phishing scam targeting Swiss citizens that resulted in financial losses to the tune
Avatar
Read More

Hackers Abuse EDRSilencer Tool to Bypass Security and Hide Malicious Activity

Threat actors are attempting to abuse the open-source EDRSilencer tool as part of efforts to tamper endpoint detection and response (EDR) solutions and hide malicious activity. Trend Micro said it detected "threat actors attempting to integrate EDRSilencer in their attacks, repurposing it as a means of evading detection." EDRSilencer, inspired by the NightHawk FireBlock tool from MDSec, is
Avatar
Read More

The Ultimate DSPM Guide: Webinar on Building a Strong Data Security Posture

Picture your company's data as a vast, complex jigsaw puzzle—scattered across clouds, devices, and networks. Some pieces are hidden, some misplaced, and others might even be missing entirely. Keeping your data secure in today’s fast-evolving landscape can feel like an impossible challenge. But there’s a game-changing solution: Data Security Posture Management (DSPM). Think of it as a high-tech,
Avatar
Read More