Mind the (Air) Gap: GoldenJackal Gooses Government Guardrails
Summary:
ESET researchers uncovered a sophisticated cyberespionage campaign by the GoldenJackal APT group, targeting governmental and diplomatic entities across Europe and South Asia from 2019 to 2024. The group primarily focused on breaching air-gapped systems—networks isolated from the internet to protect highly sensitive data—using custom tools delivered via USB drives. GoldenJackal's first identified attack occurred in August 2019, when the group compromised a South Asian embassy in Belarus. The attack employed tools such as GoldenDealer, a USB-based executable delivery system, GoldenHowl, a modular backdoor, and GoldenRobo, a file exfiltration utility. These tools were designed to bypass air-gap protections, allowing the group to infiltrate and collect data from high-profile targets.
From May 2022 to March 2024, GoldenJackal expanded their operations to include a European Union governmental organization, deploying a new, highly modular toolset. This campaign showcased GoldenJackal's ability to infiltrate, persist within, and exfiltrate data from both connected and isolated networks. The group’s tools allowed them to collect, process, and distribute sensitive information across compromised systems, leveraging USB drives to communicate with command-and-control servers. The malware components, such as GoldenUsbCopy and GoldenUsbGo, monitored USB drives and stole files for exfiltration, while tools like GoldenAce and GoldenBlacklist facilitated the propagation and management of malicious payloads across the network. The malware used by GoldenJackal included several malicious modules, such as JackalControl, a remote access backdoor, JackalSteal, a file exfiltration tool, and JackalWorm, which propagated through USB drives. These tools highlight the group’s capacity to target high-profile systems, especially those disconnected from the internet, to steal classified information. GoldenJackal's campaigns demonstrate the increasing threat posed by APT groups capable of breaching even the most secure air-gapped networks, showcasing a sophisticated approach to espionage and long-term persistence in compromised environments.
Security Officer Comments:
GoldenJackal’s ability to deploy two distinct toolsets over a five-year period illustrates their resourcefulness and persistence in targeting air-gapped networks, which are traditionally considered highly secure. The group’s attacks relied heavily on USB drives to breach isolated systems and exfiltrate sensitive diplomatic and governmental data. ESET researchers were able to attribute these attacks to GoldenJackal through similarities in code, techniques, and the group’s focus on espionage. Though the group is relatively unknown, Kaspersky first described GoldenJackal in 2023, and researchers suspect ties to Russian-speaking developers, based on language and coding techniques similar to those used by other known Russian APT groups.
Suggested Corrections:
IOCs:
https://www.welivesecurity.com/en/e...ap-goldenjackal-gooses-government-guardrails/
Organizations can make APT groups’ lives more difficult. Here’s how:
https://www.welivesecurity.com/en/e...ap-goldenjackal-gooses-government-guardrails/
ESET researchers uncovered a sophisticated cyberespionage campaign by the GoldenJackal APT group, targeting governmental and diplomatic entities across Europe and South Asia from 2019 to 2024. The group primarily focused on breaching air-gapped systems—networks isolated from the internet to protect highly sensitive data—using custom tools delivered via USB drives. GoldenJackal's first identified attack occurred in August 2019, when the group compromised a South Asian embassy in Belarus. The attack employed tools such as GoldenDealer, a USB-based executable delivery system, GoldenHowl, a modular backdoor, and GoldenRobo, a file exfiltration utility. These tools were designed to bypass air-gap protections, allowing the group to infiltrate and collect data from high-profile targets.
From May 2022 to March 2024, GoldenJackal expanded their operations to include a European Union governmental organization, deploying a new, highly modular toolset. This campaign showcased GoldenJackal's ability to infiltrate, persist within, and exfiltrate data from both connected and isolated networks. The group’s tools allowed them to collect, process, and distribute sensitive information across compromised systems, leveraging USB drives to communicate with command-and-control servers. The malware components, such as GoldenUsbCopy and GoldenUsbGo, monitored USB drives and stole files for exfiltration, while tools like GoldenAce and GoldenBlacklist facilitated the propagation and management of malicious payloads across the network. The malware used by GoldenJackal included several malicious modules, such as JackalControl, a remote access backdoor, JackalSteal, a file exfiltration tool, and JackalWorm, which propagated through USB drives. These tools highlight the group’s capacity to target high-profile systems, especially those disconnected from the internet, to steal classified information. GoldenJackal's campaigns demonstrate the increasing threat posed by APT groups capable of breaching even the most secure air-gapped networks, showcasing a sophisticated approach to espionage and long-term persistence in compromised environments.
Security Officer Comments:
GoldenJackal’s ability to deploy two distinct toolsets over a five-year period illustrates their resourcefulness and persistence in targeting air-gapped networks, which are traditionally considered highly secure. The group’s attacks relied heavily on USB drives to breach isolated systems and exfiltrate sensitive diplomatic and governmental data. ESET researchers were able to attribute these attacks to GoldenJackal through similarities in code, techniques, and the group’s focus on espionage. Though the group is relatively unknown, Kaspersky first described GoldenJackal in 2023, and researchers suspect ties to Russian-speaking developers, based on language and coding techniques similar to those used by other known Russian APT groups.
Suggested Corrections:
IOCs:
https://www.welivesecurity.com/en/e...ap-goldenjackal-gooses-government-guardrails/
Organizations can make APT groups’ lives more difficult. Here’s how:
- Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
- Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
- Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
- Incident response and recovery: Despite preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations.
https://www.welivesecurity.com/en/e...ap-goldenjackal-gooses-government-guardrails/