SATAn Targets Air-Gapped Computers with Data Theft, Spying

If you think that the best way to protect data is to keep it off the network, you are not alone. Indeed, organizations responsible for protecting highly sensitive data sometimes use a technique known as “air-gapping.” As noted by TechRepublic, air-gapping involves isolating a computer by removing/disallowing a network connection. The logic is that air-gapping makes it more difficult for cyber threat actors (CTAs) to compromise the isolated computer and, by extension, exfiltrate information from the organization.

But air-gapping isn't as secure as it appears. The Cyber Threat Intelligence (CTI) team at the Multi-State Information Sharing and Analysis Center (MS-ISAC) is well aware of this reality.

"Air-gapped computers and networks are typically a sign of systems that protect highly secure and confidential information or control of critical processes," it explained. "They're commonly found in military organizations, owners of industrial control systems (ICS), as well as U.S. State, Local, Tribal, and Territorial (SLTT) organizations. Given the targets and assets involved, CTAs would most likely need to be motivated by nation-state interests given the overhead costs."

When it comes to targeting an air-gapped computer, removable media is a preferred tactic. But it's not the only one. In this blog post, we’ll discuss how the “SATAn” attack uses the Serial ATA (ATA) interface to target air-gapped attacks.

Inside the SATAn Attack Flow

Discussed in a report written by security researcher Mordechai Guri at the Ben-Gurion University of the Negev, SATAn hinges on the use of covert channels, or communication channels not intended for data transfer. CTAs can try to use these covert channels to exfiltrate information from air-gapped computers. This includes the use of physical media to modulate information into the air.

Such is the case with SATAn. It uses the Serial ATA (SATA), a bus interface which is available on many computer systems and IT environments.

eSATA-USB Port thumbnail

Picture of an eSATA-USB Port. (Hybrid Design). (Source: Wikimedia Commons)

The attack chain relies on transmitting radio signals from the SATA cable to a laptop receiver. Those signals are correlated with sensitive information stored on the air-gapped computer. Once the laptop receiver obtains those signals, it can then reconstruct the exfiltrated information. 

SATAn Air-Gap Exfiltration Attack via Radio Signals From SATA Cables thumbnail

Source: SATAn: Air-Gap Exfiltration Attack via Radio Signals From SATA Cables, page 3

Along the way, CTAs can use specific techniques to avoid alerting traditional security technologies.

"In order to evade anti-virus (AVs), Intrusion Detection Systems (IDS), and Intrusion Prevention Systems (IPS), the function can be implemented in a separate thread and injected into the memory space of another trusted process in the system," noted Guri in the report.

Other Attempts to Target Air-Gapped Computers

CTAs have already staged multiple attempts in the wild to target air-gapped computers. One of the first instances occurred in 2010. This was when Siemens-made equipment at an Iranian nuclear started malfunctioning for no apparent reason. A security team from Belarus later came to investigate what had happened. During their visit, they found evidence that someone had physically planted Stuxnet, a highly complex malware, onto the infected equipment.

Since then, attacks against air-gapped computers have expanded considerably. In December 2021, for instance, ESET released a report in which it analyzed 17 espionage frameworks designed to specifically target air-gapped computers and networks. The security firm found that the frameworks all used USB drives and exclusively targeted Windows computers through the use of covert channels. Many of those frameworks traced back to known nation-state threat actors such as DarkHotel, Equation Group, and others.

Defensive Measures Against SATAn

According to the CTI team at the MS-ISAC, SATAn poses a threat to SLTTs.

"The risks of data theft and cyber espionage are real," they explained. "This could apply to whatever sensitive information they have. It could even affect elections offices, thus putting the confidentiality and integrity of elections at jeopardy."

SLTTs and other organizations with air-gapped computers must therefore take steps to protect themselves against SATAn. First, they need to focus on preventing CTAs from gaining an initial foothold into their environments. (Neither SATAn nor any other air-gap attack will work without it.) To do this, they need actionable cyber threat intelligence.

This is where MS-ISAC membership can help. The CTI team has an indicator-sharing program for malicious Indicators of Compromise (IOCs). Members can use it in order to defend against known attacks like SATAn.

Adopting security best practices like the CIS Critical Security Controls (CIS Controls) can also be helpful to SLTTs and other organizations. For instance, they can use CIS Control 1: Inventory and Control of Enterprise Assets to ensure that potentially malicious devices such as USB drives and laptop receivers aren't located in physical proximity to SATA cables. They can also use CIS Control 14: Security Awareness and Skills Training to reduce the probability of insider threats and raise the overall security awareness of attacks targeting air-gapped computers. They can do this by working with security awareness training providers like SANS. It is available through CIS CyberMarket, CIS’s collaborative purchasing program which helps SLTTs, nonprofit entities, and public health and education institutions to improve cybersecurity through cost-effective group procurement.