{ "id": "f3ca012b-725f-42e9-acfa-e747c968f1e7", "created_at": "2026-04-06T00:09:13.382415Z", "updated_at": "2026-04-10T03:37:50.657649Z", "deleted_at": null, "sha1_hash": "ee46bbd0cdf5ca9900d3616ebda5ef4a78aeda75", "title": "Sednit Espionage Group Attacking Air-Gapped Networks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1168337, "plain_text": "Sednit Espionage Group Attacking Air-Gapped Networks\r\nBy Joan Calvet\r\nArchived: 2026-04-05 14:10:31 UTC\r\nMalware\r\nThe Sednit espionage group, also known as the Sofacy group, APT28 or “Fancy Bear”, has been targeting various\r\ninstitutions for many years. We recently discovered a component the group employed to reach physically isolated\r\ncomputer networks -- “air-gapped” networks -- and exfiltrate sensitive files from them through removable drives.\r\n11 Nov 2014  •  , 9 min. read\r\nThe Sednit espionage group, also known as the Sofacy group, APT28 or “Fancy Bear”, has been targeting various\r\ninstitutions for many years. We recently discovered a component the group employed to reach physically isolated\r\ncomputer networks -- “air-gapped” networks -- and exfiltrate sensitive files from them through removable drives.\r\nIntroduction\r\nLast month ESET discovered that the Sednit group was performing watering-hole attacks using a custom-built\r\nexploit kit. Over the last few weeks several pieces of intelligence have been shared on this group, including the\r\nOperation Pawn Storm report from Trend Micro and the APT28 report from FireEye.\r\nIn this blog post, we are sharing knowledge of a tool employed to extract sensitive information from air-gapped\r\nnetworks. ESET detects it as Win32/USBStealer.\r\nWe believe the Sednit group has been using this tool at least since 2005, and is still using it today against their\r\nusual types of target, namely governmental institutions in Eastern Europe. Several versions of the tool have been\r\nemployed over the past few years, with various degrees of complexity.\r\nWin32/USBStealer strategy\r\nA common security measure for sensitive computer networks is to have them totally isolated from the outside\r\nworld via an “air gap”. As the name implies, these networks do not possess any direct, outside connections to the\r\nInternet.\r\nHowever, the use of removable drives can create paths to the outside world. This is particularly true when the\r\nsame removable drive is repeatedly plugged into both Internet-connected machines and air-gapped machines, such\r\nas when transferring files.\r\nThis is the scenario that is exploited by Win32/USBStealer in order to reach air-gapped networks. The following\r\nimage presents a high-level overview of this strategy in the simple case of just two computers. Computer A is\r\nconnected to the Internet and is initially infected with the Win32/USBStealer dropper, whereas Computer B is\r\nphysically isolated and becomes infected with Win32/USBStealer during the attack.\r\nhttp://www.welivesecurity.com/2014/11/11/sednit-espionage-group-attacking-air-gapped-networks/\r\nPage 1 of 8\n\nFigure 1 - Attack Scenario\r\nIn this scenario a same removable drive goes back and forth between the Internet-connected Computer A and the\r\nair-gapped Computer B. We are now going to explain each step of this attack in more detail. We focus here on the\r\nmost complex version of Win32/USBStealer observed.\r\nStep 1: First insertion in Computer A\r\nComputer A is initially infected with the Win32/USBStealer dropper, detected as Win32/USBStealer.D by ESET.\r\nThe dropper file name is USBSRService.exe, and it tries to mimic a legitimate Russian program called USB Disk\r\nSecurity, as shown below.\r\nhttp://www.welivesecurity.com/2014/11/11/sednit-espionage-group-attacking-air-gapped-networks/\r\nPage 2 of 8\n\nFigure 2 - Win32/USBStealer Dropper Metadata\r\nThe main logic of the dropper is as follows:\r\nIt monitors the insertion of removable drives into the machine by creating a window with a callback that\r\nwill be notified when such events occur.\r\nOnce a removable drive is inserted, the dropper decrypts two of its resources in memory. The first one\r\ndrops the program Win32/USBStealer onto the removable drive under the name “USBGuard.exe”. The\r\nsecond resource is an AUTORUN.INF file whose content is shown below.\r\n[autorun]\r\nopen=\r\nshell\\open=Explore\r\nshell\\open\\command=\"System Volume Information\\USBGuard.exe\" install\r\nshell\\open\\Default=1\r\nThis file is dropped onto the removable drive root. It ensures that double-clicking on the drive executes\r\nUSBGuard.exe, as well as clicking on the first right-click option (renamed “Explore” instead of “Open”).\r\nThis will only work on computers with Windows AutoRun feature enabled, which was deactivated by the\r\nWindows update KB971029 in August 2009. It may seem a long time ago, but we believe\r\nWin32/USBStealer started to propagate at least four years before that period. Moreover, it is common for\r\nmachines in air-gapped networks to be out-to-date, because they can be hard to update and they are\r\nassumed to be unreachable by attackers.\r\nFinally, an empty file named “destktop.in” is dropped onto the removable drive. It will serve as a sign for\r\nother infected machines that this drive has been connected to an Internet-connected machine at some point.\r\nIn other words, the drive is a potential path to the outside world for air-gapped machines.\r\nhttp://www.welivesecurity.com/2014/11/11/sednit-espionage-group-attacking-air-gapped-networks/\r\nPage 3 of 8\n\nOverall, the dropper takes great care not to attract attention. For example, both the AUTORUN.INF and\r\nUSBGuard.exe files have their last-access and last-write timestamps set to those of a standard Windows library\r\nchosen on the system. Also, the two decrypted resources are immediately re-encrypted in memory after having\r\nbeen dropped on the removable drive. Finally, all dropped files are set with hidden and system file attributes, to\r\nhelp ensure that they will remain undetected by casual users.\r\nStep 2: First insertion in Computer B\r\nWhen the USB drive is inserted in Computer B, which has AutoRun enabled, Win32/USBStealer installs itself. It\r\nthen enumerates all drives connected to the machine and, depending on the drive’s type, it executes a different\r\nlogic:\r\nIf the drive is removable and has been marked as having being connected to an Internet-capable machine\r\n(thanks to the dropped desktop.in file in step 1), Computer B registers itself on the drive by creating a\r\nfolder with its computer name. This registration will allow the operators to map the reachable machines\r\nwhen the drive comes back to Computer A.\r\nComputer B also keeps track of the drive locally by recording its hardware ID. Thus even if desktop.in is removed\r\nby the user from the drive, Computer B will remember that this drive can be used as a path to the outside.\r\nIf the drive is non-removable, or can be removed without any sign of having been connected to an Internet-connected machine, Win32/USBStealer executes an automatic exfiltration procedure (in opposition to the\r\nmanual procedure we will describe later).\r\nThe purpose of this step is to group interesting files from all these drives in the same local directory. The actual\r\nexfiltration will happen the next time the “marked” removable drive gets inserted into Computer B. \"Interesting\r\nfiles\" are here defined as:\r\nFiles whose extension is “.skr”,“.pkr” or “.key”. The first two correspond to the default extensions for the\r\n“keyrings” of the PGP Desktop cryptographic application. These files are storage for private and public\r\nkeys respectively. The “.key” extension is often used by cryptographic tools for files storing generated\r\nkeys.\r\nFiles whose name belongs to a hardcoded list. We have observed two different lists in the wild, described\r\nin the table array below.\r\n* List 1 List 2\r\nPossible period of use 2005 2011-2014\r\nhttp://www.welivesecurity.com/2014/11/11/sednit-espionage-group-attacking-air-gapped-networks/\r\nPage 4 of 8\n\n* List 1 List 2\r\nFile names searched for\r\nWin32Negah.dll\r\nSsers.dat\r\nSettings.dat\r\nNegah2.exe\r\nDtInt.dat\r\nAudit.dat\r\nkey.in\r\nkey.out\r\nz_box.exe\r\ntalgar.exe\r\nThe possible period of use corresponds to the compilation timestamps of the files containing these lists.\r\nWe found very few references for most of these file names on Internet, probably because they belong to private\r\nsoftware. Interestingly, Talgar (from “talgar.exe”) is a town in the Almaty Province of southeastern Kazakhstan.\r\nThe malware searches for these files everywhere on the machine, except in folders matching the following\r\nantivirus names: Symantec, Norton, McAfee, ESET Smart Security, AVG9, Kaspersky Lab and Doctor Web.\r\nStep 3: Second insertion in Computer A\r\nThe malware operators collect the computer name that has been registered by Computer B from the drive. As the\r\ndropper running on Computer A does not implement anything more than we previously described, the operators\r\nshould have another malicious component running on Computer A in order to achieve that step.\r\nThen, the operators drop commands for Computer B onto the removable drive, in an encrypted file named\r\n“COMPUTER_NAME.in”.\r\nStep 4: Second insertion in Computer B\r\nWhen the removable drive comes back in Computer B, Win32/USBStealer drops onto it the files grouped during\r\nthe automatic exfiltration procedure described in step 2, above. The next time the removable drive gets connected\r\nto Computer A, the operators will be able to grab these “air-gapped” files.\r\nWin32/USBStealer then decrypts the command files dropped by the operators for Computer B. It gives a series of\r\ncommands that will be executed consecutively. Each command is a two-byte number followed by parameter.\r\nCommand\r\nNumber\r\nParameter Purpose\r\n0x0001 Windows path Copies files matching the path to the removable drive\r\n0x0002\r\nRoot = Path =\r\nDay\r\nCopies files whose path matches “Root \\Path*” to the removable drive,\r\nbut only if they have been modified less than Day days ago\r\n0x0003\r\nRoot = Path =\r\nDay\r\nSame as command 0x0002, but the parameter is also written in the\r\nstartup monitoring file (see paragraph below)\r\nhttp://www.welivesecurity.com/2014/11/11/sednit-espionage-group-attacking-air-gapped-networks/\r\nPage 5 of 8\n\nCommand\r\nNumber\r\nParameter Purpose\r\n0x0004\r\nShould be set\r\nto “!”\r\nLaunch the automatic exfiltration function (see step 2) on all connected\r\ndrives\r\n0x0005 None Removes startup monitoring file (see paragraph below)\r\n0x0006 Windows path\r\nExecutes a copy of the file pointed by the parameter under the name\r\n“taskrel.exe”\r\n0x0007 None Removes file named “taskrel.exe”\r\n0x0008\r\nRoot = Path =\r\nDay\r\nWrites filenames matching “Root \\Path*” to the removable drive, but\r\nonly if they have been modified less than Day days ago, in a file named\r\n“inres.in”\r\n0x0009 None Removes file named “inres.in”\r\nCommands 0x0003 and 0x0005 refer to the startup monitoring file, which is a file stored locally on Computer B\r\ncontaining file patterns in the format “Root = Path = Day”. Each time the machine boots up, command 0x0002\r\nwill be executed on these patterns. This allows long-term monitoring for files of interest.\r\nCommand 0x0008 serves as a means of discovering possibly interesting files. We can speculate that operators start\r\nwith command 0x0008, and then run commands 0x0002 or 0x0003 to collect files of possible interest.\r\nFor all commands that copy files to removable drives there is a fallback mechanism. In case the copy fails, for\r\nexample because write access to the drive is not granted, the files will be grouped in a local directory instead.\r\nThey will be copied onto the next Internet-capable drive that gets connected to the machine.\r\nConclusion\r\nWin32/USBStealer shows the high level of determination of its operators, the Sednit group. Here are some\r\nsurprising things discovered during the investigation:\r\nAlmost 10 years of operation: The earliest compilation date we found for the Win32/USBStealer payload\r\nis May 2005, as shown in the Figure below. As the compiler version that produced this particular binary is\r\nconsistent with the compilation date, and since other Win32/USBStealer payloads have realistic\r\ncompilation timestamps (dating from the past few years), we believe this represents the actual date of\r\noperation for this program.\r\nhttp://www.welivesecurity.com/2014/11/11/sednit-espionage-group-attacking-air-gapped-networks/\r\nPage 6 of 8\n\nPrecise targeting: The names of the searched files by the automatic extraction procedure indicate very\r\nprecise knowledge of the targets.\r\nSome open questions remain; for example it is currently unclear how the initial infection occurred. We can\r\nspeculate that the classic spear-phishing technique has been used. It should be noted that the recent FireEye report\r\non this group reports a spear phishing campaign using the topic “USB Disk Security is the best software to block\r\nthreats that can damage your PC or compromise your personal information via USB storage.”\r\nIn the attack scenario we described, Computer A has to be already controlled by the miscreants. The\r\nWin32/USBStealer dropper does not have the ability to communicate over Internet, so we can speculate there are\r\nother malicious components running on this machine.\r\nIndicators of Compromise (IOC)\r\nDropper\r\nRegisters service named \"USB Disk Security\" with the description \"Provide protection against threats via\r\nUSB drive\".\r\nAlternatively, registers itself under the “HKEY_CURRENT_USER\r\n\\Software\\Microsoft\\Windows\\CurrentVersion\\Run” registry key, under the name “USB Disk Security”\r\nOpens mutex named “ZXCVMutexHello”\r\nResources of type “X”:\r\nID=109 for the payload\r\nID=106 for the AUTORUN.INF file\r\nPayload\r\nRegisters service named \"USBGuard\" with the description \" Protects removable media from becoming\r\ninfected with malware\".\r\nAlternatively, registers itself under the “HKEY_CURRENT_USER\r\nSoftware\\Microsoft\\Windows\\CurrentVersion\\Run” registry key, under the name “USBGuard”\r\nOpens mutex named “USB_Flash”\r\nHashes\r\nhttp://www.welivesecurity.com/2014/11/11/sednit-espionage-group-attacking-air-gapped-networks/\r\nPage 7 of 8\n\nSHA1 Purpose ESET Detection Name\r\nBB63211E4D47344514A8C79CC8C310352268E731\r\nDropper\r\n(USBSRService.exe)\r\nWin32/USBStealer.D\r\n776C04A10BDEEC9C10F51632A589E2C52AABDF48\r\nPayload\r\n(USBGuard.exe)\r\nWin32/USBStealer.A\r\nSource: http://www.welivesecurity.com/2014/11/11/sednit-espionage-group-attacking-air-gapped-networks/\r\nhttp://www.welivesecurity.com/2014/11/11/sednit-espionage-group-attacking-air-gapped-networks/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "http://www.welivesecurity.com/2014/11/11/sednit-espionage-group-attacking-air-gapped-networks/" ], "report_names": [ "sednit-espionage-group-attacking-air-gapped-networks" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434153, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ee46bbd0cdf5ca9900d3616ebda5ef4a78aeda75.pdf", "text": "https://archive.orkl.eu/ee46bbd0cdf5ca9900d3616ebda5ef4a78aeda75.txt", "img": "https://archive.orkl.eu/ee46bbd0cdf5ca9900d3616ebda5ef4a78aeda75.jpg" } }