Sophisticated 'ProjectSauron' malware hid, undetected, for years

Security researchers have identified a complex malware dubbed “ProjectSauron” that hid, undetected, within a number of organizations for five years.

Cybersecurity company Kaspersky Lab described ProjectSauron as an extremely sophisticated platform for cyber-espionage Monday. The malware, it added, is designed to conduct “long-term campaigns through stealthy survival mechanisms.”

The spying malware’s name refers to Sauron, the all-seeing antagonist in J.R.R Tolkien’s “The Lord of the Rings.”

“The actor behind ProjectSauron has a high interest in communication encryption software widely used by targeted governmental organizations,” Kaspersky Lab noted. “It steals encryption keys, configuration files, and IP addresses of the key infrastructure servers related to the encryption software.”


The malware is even capable of stealing data from computers that are not connected to the internet, harnessing USB drives that store stolen data in an area invisible to the computer’s operating system.

Also known as “Strider”, ProjectSauron was identified by Kaspersky Lab in September 2015. The malware was operational as early as June 2011 and remained active until April 2016, according to the security company, although may still affect some computer systems.

Kaspersky Lab found more than 30 organizations infected by the malware in Russia, Iran, Rwanda and possibly Italy. “Many more organizations and geographies are likely to be affected,” it added.

Government, scientific research, military and financial organizations have been attacked, as well as telecommunication providers. Kaspersky Lab says that it worked with industry partners and law enforcement agencies to notify the victims.

In a blog post Sunday, security company Symantec said it has identified attacks in Russia, China, Sweden, and Belgium, citing evidence of infections in 36 computers across seven separate organizations. “The group’s targets include a number of organizations and individuals located in Russia, an airline in China, an organization in Sweden, and an embassy in Belgium,” it explained.

Symantec reports that the malware used to conduct spying attacks contains a reference to Sauron. “It opens a back door on an infected computer, can log keystrokes, and steal files,” Symantec said.

As hackers develop ever more sophisticated technologies, cybersecurity presents a constant challenge for governments, businesses, and users. Earlier this week, for example, tech security firm Check Point identified vulnerabilities affecting 900 million Android smartphones and tablets that use chipsets from component maker Qualcomm.

Follow James Rogers on Twitter @jamesjrogers