Not that long ago, we actually published an article about the top baddies in the Dark History of APTs (read it here) and we owe it to ourselves to admit that, after Patchwork, we didn’t really think the cybersecurity landscape could conjure up any such unexpected surprises.

But then Project Sauron came along and, quite frankly, as terrible as a surprise it might be, we cannot help but join the choir of IT security professionals that studied it with fascination (from a strictly intellectual perspective, of course).

As we were saying, the APT frenzy really went over the roof this year as more and more security incidents wearing this label popped up in the media. Unfortunately (for our intellectual thirst for challenge), the vast majority didn’t even deserve to bear the title ‘Advanced Persistent Threat’ (Patchwork again), but so be it.

We’re here to discuss something else entirely – a major breakthrough event in the advancement of cyber-threats and a milestone to add to our APT timeline. “Project Sauron”, as it was baptized by the researchers from Kaspersky Lab that uncovered LOTR hints in its Lua scripts, is every bit as dreadful (and impressive) as the main antagonist in Tolkien’s books.


“Sauron was now a sorcerer of dreadful power, master of shadows and of phantoms,

foul in wisdom and cruel in strength, misshaping what he touched.”

– Description of Sauron in The Silmarillion


“Master of shadows”

According to Kaspersky, the hackers behind Project Sauron are part of a group called Strider (read their full report here), that managed to completely bypass cybersecurity radars for a total of, wait for it, 5 years (!). As indicated in the forensic analysis, this Dark Lord of cyber-espionage was launched sometime in June 2011. That being said, although it appears to have largely ceased its activity, chances are Sauron is still out there somewhere, waiting in the shadows.

Security experts’ first encounter with the notorious threat was in September 2015, when they stumbled upon a suspicious module, which was, in fact, an executable library[1]. The latter was loaded directly onto the memory of a Windows domain controller (DC) a.k.a. the server responsible for allowing host access to Windows domain resources. It later turned out that this is actually the modus operandi of Project Sauron, which commonly registers its persistence module[2] on domain controllers as a Windows LSA (Local Security Authority[3]) password filter.

As a service mostly available to system administrators in order to enforce password policies and validate new passwords, said filter enables access to sensitive data in clear text. Much like the Eye of Sauron, a symbol of the villain’s omnipotence, this passive backdoor sees everything as it launches every time a user logs attempts to log in or changes his/her password.


Sauron: [speaking to Frodo] “You cannot hide. I see you!”

(as long as you’re using a Windows OS)


“Foul in wisdom”

Project Sauron seems to be a new and improved version of the Remsec Trojan horse (recently discovered, as well). However, it takes the game to a whole new other level, surpassing by far the number of modules employed by Remsec. As such, Strider’s ultra-powerful attack is conceived as a modular cyber-espionage platform, comprising a total of 50 modules especially designed to endure long-term campaigns and to adapt according to each individual target. It takes the best ideas out of previously discovered advanced cyber-threats, learns from their mistakes and, thus, reduces the possibility of getting caught. That’s wise alright.

Project Sauron’s core modules are all unique, bear different names and sizes, and change with each victim. They are deployed with the help of a Lua[4] interpreter that allows the hackers to modify existing software deployment scripts, and work just like regular backdoors. Once installed, they go in ‘hibernation’ until specific commands from the incoming network traffic trigger them.

But we’ve this covered already, haven’t we? Indeed. What we forgot to mention, though, was that these modules can also download new modules or enable remote control of the system by running commands purely in the memory. Modules installed hereafter are especially designed for data extraction, as well as for stealing encryption keys.

The novelty here is that the Strider group is also able to exfiltrate data from air-gapped computers (with no internet connection) by using USB storage drives especially planted where data is stored in an area invisible to the OS. To an infected device, the removable drive appears as an approved device, whereas, in the background, you will find a storage space dedicated to holding the existing information of the isolated domain controller. However, it is not yet clear how the USB-enabled exfiltration works, since no ‘helping’ 0-day exploit was discovered.

“Cruel in strength”

Perhaps the strongest point in the strategy of the Strider group is its refined ability to avoid patterns (or almost anyway). Unlike common malware operations that reuse servers, domain names or IP addresses for C&C channels, this state of the art APT actor changes all these elements with each target. One very interesting feature, for instance, is the leveraging of DNS protocol in order to achieve real-time reporting of the operation progress. Once an objective is crossed of the list, Project Sauron issues a DNS-request to a special subdomain which varies from victim to victim.

More so, even the distribution of targets seems to make no sense. We’re used to seeing malicious campaigns being carried out in clustered areas and aiming for specific industries. Interestingly so, in the case at hand, Sauron seems to have its eye just on a selected few. To date, 30 infected organizations were found in Russia, Iran, Rwanda and China, all belonging to key entities of said states (government agencies, research centers, military, telecom, finance and so on).

The main purpose in the end? To gain intelligence regarding passwords, cryptographic keys, configuration files and even IP addresses of the key servers related to any communication encryption software that might have been used by Sauron’s prey.

Researchers estimated that an operation such as Project Sauron would cost millions of dollars and require the coordinated effort of several team. This made way to the speculation that the initiative might have been funded by a nation-state, although no official releases were made on the topic. That aside, it is easy to see why standard security tools stand no chance in detecting such an advanced threat while relying on the same old basic indicators of compromise (IOC)[5].

Attacks such as this can only be noticed in well equipped laboratories, with analysts working around the clock. But then again, even Frodo the hobbit needed some help. If you’re curious to see what are your options, read our article on how to detect Advanced Persistent Threats with advanced security analytics here.

Project Sauron

[1] Collection of resources used by the computer for one specific purpose only.

[2] In computer science, persistence refers to the characteristic of state that outlives the process that created it. This is achieved in practice by storing the state as data in computer data storage.

[3] A process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system.

[4] Originally designed in 1993, Lua is a multi-paradigm programming language for extending software applications to meet the increasing demand for customization. It is, above all, a significant language in the creation of artificial intelligence.

[5] In computer forensics is an artifact observed on a network or in an operating system that with high confidence indicates a computer intrusion. Typical IOCs are virus signatures and IP addresses, MD5 hashes of malware files or URLs or domain names of botnet command and control servers. (Source: Wikipedia)

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access