Imagine for a moment that you are a CIA hacker. You and your team have been working for months to compromise the top secret weapons program of the rogue third world country named Upper Crackistan. You have managed to infiltrate several networks associated with the project and gathered an enormous amount of data, but you haven’t been able to cause any damage to the project. It is apparent from the internal documents you have gathered that the computers which run the important work of the project are on an air-gapped network (a computer network not connected to any outside networks), so you can’t scan them for weaknesses. How do you get to them?
The CIA answered this question in 2012 with the implementation of tools named EZCheese and Emotional Simian, and then replaced them in 2016 with the Brutal Kangaroo framework, as revealed by Wikileaks in its latest Vault 7 data dump. These tools are as ingenious in their design as they are malevolent in their action.
There is no doubt that air-gapping networks or computers is the best way to make intrusion difficult. The problem is that since these systems can’t communicate with the Internet to transfer files between them and the outside world, actual humans must transfer the data manually between internet connected unsecured computers and air-gapped computers.
Brutal Kangaroo takes advantage of this critical weakness. CIA operators identify key personnel in the targeted organization who are most likely to interact with the air-gapped systems, and use any available means, including Cherry Blossom, Pandemic, Athena, or Archimedes, to remotely compromise the unsecured internetworked workstation of those people. Once an operator has remote access to an unsecured workstation, known as a primary host, he downloads and installs the Brutal Kangaroo framework to it. The operator can then configure Brutal Kangaroo to infect any USB drive used on the primary host with malware. The USB drive then infects every other machine it enters.
When Brutal Kangaroo infects an air-gapped computer, it surveys the machine that it is installed on and performs operations based on what it learns, including copying files to the USB drive to return to the primary host or executing more malware. So, let’s say that Dr. Bubba Plumber, an Upper Crackistani rocket scientist is in the habit of using his USB drive to transfer software updates once a month from his primary workstation to his air-gapped network machine. On day one, the CIA operator successfully infects the first air-gapped machine with Brutal Kangaroo, and it surveys the machine and copies targeted files. The next time the rocket scientist plugs the USB drive back into his unsecured workstation, Brutal Kangaroo gathers up the information and the operator can take what he learns to write custom malware specifically designed for the air-gapped target, which will execute the next time the USB drive visits the air-gapped machine.
What is amazing about this framework is that if an infected USB drive infects more than one machine on an air-gapped network, the affected computers create a shadow network to share drives, tasks, and payloads between each other. So when CIA operators eventually find and infect the computer with software that can be broken to hurt to the Crackistani weapons program, they no longer have to wait for someone to put an infected USB drive in that particular system. When the USB stick with new instructions visits any system on the air-gapped network, Brutal Kangaroo will transfer the new malware and instructions to the right machine. This feature turns what use to be a Hail Mary pass into an advanced threat against air-gapped networks.
So in our hypothetical, the CIA contractor finds a few key scientists and IT personnel, sets up all their workstations with Brutal Kangaroo, uses their USB drives to infect as many air-gapped machines as possible, and gathers information from them. When he finds the computer with software that tells missiles when to detonate, he has Brutal Kangaroo relay back the critical payload detonation files. He then rewrites the instructions so that warheads detonate at one thousand feet, and sends instructions to overwrite the program with his own. Visualize the horror on Dr. Plumber’s face when his rocket explodes one second after takeoff. Imagine the embarrassment of Upper Crackistan. The civilized world gets another year of relative peace, and the CIA gets a budget increase.
Of course, this is just a hypothetical, but in broad strokes, this is how it works. Stuxnet worked similarly. It can take years, a massive budget, significant risk, and genius level programmers to pull off, but when properly done, an intelligence agency can derail an entire nuclear weapons program, or ICBM program, electric grid, etc. And you can be confident that other nation states are working overtime to develop these capabilities against us as well.
The good news for you is that air-gapping information is still pretty good protection against any hacker. Your secret marinara recipe just isn’t important enough to the world to justify a team of CIA or Upper Crackistani coders to steal it. They’d just kick in your door and take your server. The bad news is that any nation with advanced infrastructure is vulnerable to these kinds of threats, not just Upper Crackistan. China and Russia are deeply invested in this technology as well, and the U.S. must remain vigilant as well.
