Sauron is one of Tolkien’s evil antagonists in The Lord of the Rings. Like Satan in Paradise Lost, it seems, Sauron fell from grace and runs around causing all sorts of trouble. I don’t know that off the top of my head . . . sorry. I was forced to read The Hobbit in seventh grade. I routinely failed those daily reading quizzes, in part because, well, I wasn’t really reading much of it. I should have.
ProjectSauron is no fantasy. ProjectSauron is a formidable cyber-threat, probably a tell-tale sign of the emerging cyberwarfare and, perhaps, a cyberwar that’s already underway. It’s reminiscent of—but more evil than—Stuxnet. And for cyberwarriors, tracking down its source would be something along the lines of finding the Arc of the Covenant or the Holy Grail.
According to Symantec, “The group uses an advanced piece of malware known as Remsec (Backdoor.Remsec) to conduct its attacks. Remsec is a stealthy tool that appears to be primarily designed for spying purposes.” And in Remsec resides Sauron: Remsec’s “code contains a reference to Sauron, the all-seeing antagonist in Lord of the Rings.”
SecureList describes ProjectSauron as “a top level modular cyber-espionage platform, designed to enable and manage long-term campaigns through stealthy survival mechanisms coupled with multiple exfiltration methods.”
Symantec explains, “A previously unknown group called Strider has been conducting cyberespionage-style attacks against selected targets in Russia, China, Sweden, and Belgium.” That Strider and ProjectSauron is attacking Russia and China—and perhaps spread to Sweden, Belgium, and other European countries—suggest the group and the virus is not theirs.
Residents of the cyber-hacker world may well be familiar with Strider, but the threat represented by ProjectSauron and Remsec is bringing Strider to the forefront of pop culture and novice cyber discussions. Engadget , “ProjectSauron . . . was only unearthed recently because it was designed not to use patterns security experts usually look for when hunting for malware.” Engadget’s Mariella Moon continues, “The malware can move across a network—across even air gapped computers that are supposed to be more secure than typical setups—to siphon passwords, cryptographic keys, IP addresses, configuration files, among other data off computers.”
Kaspersky offers a profile of the virus, as well, and reports, “The most noteworthy feature of ProjectSauron’s tactics is the deliberate avoidance of patterns: ProjectSauron customizes its implants and infrastructure for each individual target, and never reuses them. This approach, coupled with multiple routes for the exfiltration of stolen data, such as legitimate email channels and DNS, enables ProjectSauron to conduct secretive, long-term spying campaigns in target networks.”
In other words, ProjectSauron seems to be getting ready for something.
Perhaps something really big.