GoldenJackal APT group breaches air-gapped systems in Europe

ESET researchers have discovered a series of attacks that took place in Europe from May 2022 to March 2024, where the attackers used a toolset capable of targeting air-gapped systems, in a governmental organization of a European Union country.

Cyberespionage campaign aims to steal sensitive data from isolated networks

ESET attributes the campaign to GoldenJackal, a cyberespionage APT group that targets government and diplomatic entities. By analyzing the toolset deployed by the group, ESET identified an attack GoldenJackal carried out earlier, in 2019, against a South Asian embassy in Belarus that targeted the embassy’s air-gapped systems with custom tools.

The ultimate goal of GoldenJackal is very likely to be stealing confidential and highly sensitive information, especially from high-profile machines that might not be connected to the internet.

To minimize the risk of compromise, highly sensitive networks are often air-gapped – isolated from other networks. Usually, organizations will air gap their most valuable systems, such as voting systems and industrial control systems running power grids. These are often precisely the networks that are of interest to attackers. Compromising an air-gapped network is much more resource-intensive than breaching an internet-connected system, which means that frameworks designed to attack air-gapped networks have so far been exclusively developed by APT groups. The purpose of such attacks is always espionage.

“In May 2022, we discovered a toolset that we could not attribute to any APT group. But once the attackers used a tool similar to one of those already publicly documented, we were able to dig deeper and find a connection between the publicly documented toolset of GoldenJackal and this new one. Extrapolating from that, we managed to identify an earlier attack where the publicly documented toolset had been deployed, as well as an older toolset that also has capabilities to target air-gapped systems,” says ESET researcher Matías Porolli, who analyzed GoldenJackal’s toolset.

GoldenJackal targets government entities in Europe, Middle East, South Asia

GoldenJackal has been targeting governmental entities in Europe, the Middle East, and South Asia. ESET detected GoldenJackal tools at a South Asian embassy in Belarus in August and September 2019, and again in July 2021. More recently, according to ESET telemetry, another governmental organization in Europe was repeatedly targeted from May 2022 until March 2024.

With the level of sophistication required, it is quite unusual that in five years, GoldenJackal managed to deploy not one, but two separate toolsets designed to compromise air-gapped systems. This speaks to the resourcefulness of the group. The attacks against a South Asian embassy in Belarus made use of custom tools that we have only seen in that specific instance so far. The campaign used three main components: GoldenDealer to deliver executables to the air-gapped system via USB monitoring; GoldenHowl, a modular backdoor with various functionalities; and GoldenRobo, a file collector and exfiltrator.

“When a victim inserts a compromised USB drive in an air-gapped system and clicks on a component that has the icon of a folder but is actually a malicious executable, then GoldenDealer is installed and run, starting to collect information about the air-gapped system, and storing it on the USB drive. When the drive is again inserted into the internet-connected PC, GoldenDealer takes the information about the air-gapped PC from the USB drive and sends it to the C&C server. The server replies with one or more executables to be run on the air-gapped PC. Finally, when the drive is again inserted into the air-gapped PC, GoldenDealer takes the executables from the drive and runs them. No user interaction is needed because GoldenDealer is already running,” explains Porolli.

In its latest series of attacks against a government organization in the European Union, GoldenJackal moved on from the original toolset to a new, highly modular one. This modular approach applied not only to the malicious tools, but also to the roles of victimized hosts within the compromised system: they were used, among other things, to collect and process interesting, likely confidential information, to distribute files, configurations, and commands to other systems, and to exfiltrate files.