European govt air-gapped systems breached using custom malware

Original Article ↗ Hacker News Discussion ↗

Breach mechanism and what actually went wrong

  • Core vector: USB drives shuttled between internet-connected and “air-gapped” systems.
  • Malware on the online machine altered the USB: hid the latest-used folder, replaced it with an executable using the same name and a folder icon, relying on users to click it.
  • Many see this as a very old, basic trick (akin to fake “.jpg.exe” files) rather than sophisticated firmware or side-channel magic.
  • Key failure: users could run arbitrary executables from removable media on a “secure” system.

What “air-gapped” really means (and doesn’t)

  • Several argue these systems weren’t meaningfully air-gapped if writable USB media could move both ways.
  • Others note this matches common definitions: no network link, but data transfer via physical media is allowed.
  • One quote shared: an air gap is effectively “a high-latency connection” because humans and media bridge it.

Removable-media practices and alternatives

  • Many recommend one-way mechanisms (data diodes, cut TX wires, optical links) or read-only media (CD/DVD-R with read-only drives) for import only.
  • Some argue air-gapped networks should never let data out; USB devices should be destroyed or retained after entry.
  • Suggestions include:
    • Disable or epoxy USB ports, allow only specific device classes (e.g., HID).
    • Use dedicated, heavily-audited transfer tools, or QR/aux/serial-based minimal protocols.
    • Employ write blockers on USB forensics-style.
  • Others caution that even QR and custom links can be exploited at the application layer.

OS, AV, and architecture choices

  • Many criticize using standard Windows desktops for high-security air-gapped systems, especially with default behaviors (hidden extensions, rich icons, autorun history).
  • Alternatives suggested: hardened Linux/BSD, security-focused OSs like Qubes, minimal templates, and strict execution policies (no binaries off external media).
  • Debate over AV on air-gapped systems: some see it as necessary due to data import; others call AV itself a high-privilege attack surface and sometimes “security theater.”

Human factors and security culture

  • Broad agreement that humans and incentives remain the weakest link: exceptions for VIPs, convenience over rigor, and poor adherence to procedures.
  • Some argue security can eventually be “largely solved” at the technical layer; others insist socio-organizational pressures will keep creating vulnerabilities.

Attribution and reporting

  • Skepticism toward inferring Russian involvement from a single protocol naming convention; seen as weak evidence and poor journalistic practice.