"In September 2015, Kaspersky Lab’s Anti-Targeted Attack Platform discovered anomalous network traffic in a government organization network," reads a report published by the software company on Monday.
"Analysis of this incident led to the discovery of a strange executable program library loaded into the memory of the domain controller server…Additional research revealed signs of a previously unknown threat actor, responsible for large-scale attacks against key governmental entities."
The malware has been discovered on at least 30 targets and has been active for some five years. Given that it went this long without detection, the software firm suspects a state-sponsored group is behind the release.
"The attackers clearly understand that we as researchers are always looking for patterns. Remove the patterns and the operations will be harder to discover," the report reads.
"We are aware of more than 30 organizations attacked, but we are sure that this is just a tiny tip of the iceberg."
Detailing the exact number of infected servers could prove difficult. While most malware reuses certain parts of code, Project Sauron appears to customize itself for each target. Uncovering it in one server does little to help track it down in others.
Even stranger, Project Sauron can infect computers that are not connected to the internet.
"To achieve this, removable USB devices are used. Once networked systems are compromised, the attackers wait for a USB drive to be attached to the infected machine," the report says.
"These USBs are specially formatted to reduce the size of the partition on the USB disk, reserving an amount of hidden data (several hundred megabytes) at the end of the disk for malicious purposes."
The malware’s primary goal appears to be to obtain passwords, IP addresses, cryptographic keys, and configuration files. While researchers have not revealed which government agencies were infected, Kaspersky Lab did confirm it infected servers in Russia, Iran, and Rwanda.
Researchers also said they could not confirm which nation may have been behind the virus.
"When dealing with the most advanced threat actors, as is the case with Project Sauron, attribution becomes an unsolvable problem."
