A recently discovered hacker has been quietly infiltrating and stealing information from computers around the world, according to Symantec and Kaspersky reports released this week.

“A previously unknown group […] has been conducting cyberespionage-style attacks against selected targets in Russia, China, Sweden, and Belgium,” the Symantec report said. “The group uses an advanced piece of malware known as Remsec (Backdoor.Remsec) to conduct its attacks. Remsec is a stealthy tool that appears to be primarily designed for spying purposes.”

The hacker was dubbed “Strider” by Symantec and “Project Sauron” by Kaspersky, both references to Lord of the Rings characters and based on a piece of the malware that was uncovered.

(Illustration: Shutterstock)
The Sauron from ‘Lord of the Rings’ is an all-seeing, fiery, evil eye whose sight the characters must avoid in order to destroy the one ring of power. (Illustration: Shutterstock)

“The reference to Lord of the Rings came from a string that was found in the malware,” said Jon DiMaggio, senior threat intelligence analyst at Symantec. The line of code references the character Sauron from Lord of the Rings, an all-seeing, fiery, evil eye whose sight the characters must avoid in order to destroy the one ring of power.

DiMaggio says that while it’s uncertain what the reference means now, it could play into figuring out tp whom to attribute the hack. At this point, attribution is hard, as the hacker has been very judicious in who they’ve targeted.

“It appears that the targeting was very selective,” said DiMaggio. Symantec’s report found 36 infected computers across seven separate organizations and estimates that the group has been active since about October 2011.

The attacks are highly sophisticated and directed, with code that seems tailored to the target rather than a mass hack. According to DiMaggio, this indicates an espionage motivation, as a financially motivated attack would have “a lot larger target base.”

“When someone’s not doing this for financial gain, […] it really indicates cyber espionage,” said DiMaggio, adding that this contributes to the prediction that Strider/ProjectSauron is affiliated with a nation-state actor. “Who benefits from cyber espionage?”

“We think an operation of such complexity, aimed at stealing confidential and secret information, can only be executed with support from a nation-state,” Kaspersky’s report said. It also estimates an operations budget that could run into millions of dollars.

“You’ve kind of got to go not just in the cyber end but in the political end,” said DiMaggio.

Despite the political indicators, and the fact that the attacks happened in only four countries, DiMaggio cautioned that Sauron could branch out or have infected computers that people are unaware of.

“This is probably a small part of a larger picture,” he said.

Read More About
More Topics
Jessie Bur
Jessie Bur
Jessie Bur is a Staff Reporter for MeriTalk covering Cybersecurity, FedRAMP, GSA, Congress, Treasury, DOJ, NIST and Cloud Computing.