An air-gapped device or system is one that is neither connected to the Internet nor connected to other systems that are connected to the Internet. Air gaps generally are implemented where the system or network is a classified, payment networks that process credit and debit card transactions, or industrial control systems that operate critical infrastructure. Traditionally, air gap means the device or network is physically isolated from the Internet and data can only pass to it via a USB flash drive, CD/DVD, other removable media, or a firewire connecting two computers directly.
If had a nickel for every time I heard, “We are secure because the system is not connected to the Internet thus there is no need to implement information system control because physical controls are sufficient,” I would be rich. In the past and still today, people and organizations believe air gap is more secure, since it would required an attacker to have physical access to breach them. However, recent attacks involving malware that spread via infected USB flash drives have shown the lie to this belief.
One of the most famous compromises of an air-gapped system is Stuxnet, which was designed to sabotage centrifuges used at a uranium enrichment plant in Iran. More recently, evidence has shown that air-gapped systems can also be attacked through radio waves (Zetter, 2014).
I came across two different attacks over the last two months for air gapped system involving USB flash drive malware. First is the "USB Thief" that is also described as Win32/PSW.Stealer.NAI which was found by ESET. The malware consists of six files: four are executables and the other are configuration data. Each instance of this trojan relies on the particular USB device on which it is installed and it leaves no evidence on the compromised system and protects itself from being reproduced or copied. The malware is designed to exfiltrate data from the target system, however If there is no control server then it indicates a hands on campaign, where the communication of the device takes place at a personal or insider level. Furthermore, there are indications that the USB Thief developers conducting testing to make sure the trojan worked properly under a variety of different scenarios. The malware won't install itself in the event the target machine is running antivirus software from Kaspersky Lab or G Data (Owano, 2016). For more information, see http://arstechnica.com/security/2016/03/stealthy-malware-targeting-air-gapped-pcs-leaves-no-trace-of-infection/?utm_medium=email&utm_source=flipboard.
Second, a nuclear power plant in Germany has been found to be infected with computer viruses. The viruses found included W32.Ramnit and Conficker at the Gundremmingen's B unit and on 18 removable data drives. W32.Ramnit is designed to steal files from infected computers and targets Microsoft Windows software and is intended to give an attacker remote control over a system when it is connected to the Internet. Conficker has infected millions of Windows computers worldwide since 2008. It is able to spread through networks and by copying itself onto removable data drives (Steitz & Auchard, 2016).
Air gap devices and networks can give a false sense of security through obscurity. Obscurity is not a control method and security professionals have to methodically determine assets and determine the threats to include the vulnerabilities that can be exploited in every device and system.
References:
Zetter, K. (2014, December 08). Hacker Lexicon: What is an Air Gap? Retrieved May 23, 2016, from https://www.wireed.com/2014/12/hacker-lexicon-air-gap/ WIRED
Owano, N. (2016, March 26). USB malware goes after air-gapped computers. Retrieved May 23, 2016, from http://techxplore.com/news/2016-03-usb-malware-air-gapped.html?utm_medium=email
Steitz, C., & Auchard, E. (2016, April 27). German nuclear plant infected with computer viruses, operator says. Retrieved May 23, 2016, from http://www.reuters.com/article/us-nuclearpower-cyber-germany-idUSKCN0XN2OS?utm_medium=email