ProjectSauron

πŸ”΄ High
Also known as: Strider, Sauron, Project Sauron, G0041, ProjectSauron

ProjectSauron is the name for a top level modular cyber-espionage platform, designed to enable and manage long-term campaigns through stealthy survival mechanisms coupled with multiple exfiltration methods. Technical details show how attackers learned from other extremely advanced actors in order to avoid repeating their mistakes. As such, all artifacts are customized per given target, reducing their value as indicators of compromise for any other victim. Usually APT campaigns have a geographical nexus, aimed at extracting information within a specific region or from a given industry. That usually results in several infections in countries within that region, or in the targeted industry around the world. Interestingly, ProjectSauron seems to be dedicated to just a couple of countries, focused on collecting high value intelligence by compromising almost all key entities it could possibly reach within the target area. The name, ProjectSauron reflects the fact that the code authors refer to β€˜Sauron’ in the Lua scripts.

🌍 Country United States
⚑ Risk Level High
🎯 Incident Type Espionage
Intelligence Government Military

Targeted Victims

Russia Iran Belgium China Sweden Rwanda

Introduction

ProjectSauron is the name for a top level modular cyber-espionage platform, designed to enable and manage long-term campaigns through stealthy survival mechanisms coupled with multiple exfiltration methods. Technical details show how attackers learned from other extremely advanced actors in order to avoid repeating their mistakes. As such, all artifacts are customized per given target, reducing their value as indicators of compromise for any other victim. Usually APT campaigns have a geographical nexus, aimed at extracting information within a specific region or from a given industry. That usually results in several infections in countries within that region, or in the targeted industry around the world. Interestingly, ProjectSauron seems to be dedicated to just a couple of countries, focused on collecting high value intelligence by compromising almost all key entities it could possibly reach within the target area. The name, ProjectSauron reflects the fact that the code authors refer to β€˜Sauron’ in the Lua scripts.

Activities and Tactics

Targeted Sectors: Intelligence, Government, Military

Country of Origin: πŸ‡ΊπŸ‡Έ United States

Risk Level: High

Incident Type: Espionage

Suspected Victims: Russia, Iran, Belgium, China, Sweden, Rwanda

Notable Campaigns

Information pending cataloguing.

Tactics, Techniques, and Procedures (TTPs)

Information pending cataloguing.

Notable Indicators of Compromise (IOCs)

No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.

Malware and Tools

  • CyberGate
  • XtremeRAT
  • Cyber Eye RAT
  • GraphicBooting

Attribution and Evidence

Country of Origin: United States Additional attribution information pending cataloguing.

References

References pending cataloguing.