With everyone wearing masks and wincing each time someone coughs, airborne viruses have captured the attention of the world. Your client’s network can’t catch COVID-19 from a sneeze, but it can catch other airborne viruses.

The absolute safest way to safeguard a network is to seal it off. Have a closed network with no access to Wi-Fi, no connection to the outside, and all its secrets are safe. Easy enough.

Turns out easy enough isn’t so easy. Cybercriminals have long considered these closed networks to be the Holy Grail of hacking, and breaching them is becoming increasingly within reach.

What are air-gapped networks?

Your average accounting office client or medical facility doesn’t have an air-gapped network. Most air-gapped systems are located within super sensitive government or military installations, and they are designed to keep information under lockdown by having a network that is not connected. This includes having Wi-Fi interfaces disabled or non-existent. These networks are physically removed from central enterprise systems, and the only way to extract information from them is with hardware such as a thumb drive.

“This is not something your small-town MSP has to be concerned about,” Dolph Roberts, a cybersecurity consultant in Denver who has studied airgaps, tells Smarter MSP. Still, Roberts thinks MSPs should be monitoring the issue.

“The reason this is a good issue to talking about, is that often these tip-of-the-iceberg technologies become the iceberg,” Robers says. In other words, “just because it’s a rarity today, doesn’t mean it will be five years from now,” he adds. And part of the job description of an MSP is to try to look ahead and prepare for eventualities.

Roberts also advises that air-gapped networks are becoming more common. While once the realm primarily of government and military, more and more industries that handle proprietary data are starting to experiment with them. As air-gapped networks gain popularity, the chances of an MSP finding one in their portfolio is growing.

The danger is that IT staff and MSPs may view the air-gapped networks as impenetrable, and neglect to pay attention to the security aspects of these networks since it is assumed that air gapping is impenetrable. It’s not.

Traveling through the air

Roberts says that hackers have had the technology in place for a while to infect air-gapped networks through the air using peripheral devices such as sound cards and microphones to transmit malicious code via high-pitched frequencies. This is ominous because it removes the need for a connection.

In 2017, Researchers at Ben-Gurion University in Israel discovered that it’s possible to “trick” a fully offline computer into leaking data to another nearby device via the hum that the internal fan creates, or by tinkering with air patterns and thermal imaging cameras. Specific blinking light patterns can fool an offline computer, and researchers have theorized that a whole host of tools to break into an air-gapped network can be delivered via drone. Again, not something the average MSP needs to worry about. For now.

“But, this is the type of scenario that keeps security experts up at night, not worrying about current threats – we know what those are – but future threats,” Roberts adds.

Still, in most cases, someone needs to gain access to the physically disconnected air-gapped network to install malware that can be later activated. Chances are, the building’s security guards would stop that from happening, a case where a little human muscle works in tandem with cybersecurity.

How Ramsay works

Ramsay is a sophisticated air gapping malware that has been detected recently. It appears to infect flash drives, memory cards, and other portable devices that are connected to a network. These devices are plugged into the air-gapped system, and that is the human aspect of such breaches. Eventually, a human enters the equation and plugs in something they shouldn’t.

But, ZDNet reports that Ramsay appears to have been designed with features to infect air-gapped computers, collect Word and other sensitive documents in a hidden storage container, and then wait for a possible exfiltration opportunity.

Other versions, according to ZDNet, also included a spreader module that appended copies of the Ramsay malware to all PE (portable executable) files found on removable drives and network shares. This is believed to be the mechanism the malware was employing to jump the air gap and reach isolated networks, as users would most likely move the infected executables between the company’s different network layers, and eventually end up on an isolated system.

Roberts says there have been very few real-world examples of Ramsay being executed.

“But the fact that this technology is being developed, used and refined should send off alarm bells, if not for MSPs, for IT professionals at sensitive government installations and power grids where air-gapped networks are standard,” Roberts says.

For now, air-gapping is largely theoretical and impractical for hackers. But the fact that we are even talking about air-gapped networks being breached is ominous.

Photo: Alex from the Rock / Shutterstock

Kevin Williams

Posted by Kevin Williams

Kevin Williams is a journalist based in Ohio. Williams has written for a variety of publications including the Washington Post, New York Times, USA Today, Wall Street Journal, National Geographic and others. He first wrote about the online world in its nascent stages for the now defunct “Online Access” Magazine in the mid-90s.

Leave a reply

Your email address will not be published. Required fields are marked *