Abstract glowing USB key with an image of Earth inside, set against a dark, textured background.

Executive Summary:

On October 7, security firm ESET disclosed a cyber campaign targeting air-gapped systems at a European government organization. This campaign, conducted between May 2022 and May 2024, has been attributed to GoldenJackal, an advanced persistent threat (APT) group known for its cyber espionage activity since 2019. GoldenJackal specializes in breaching isolated environments through modular toolsets that use removable media and network-adaptive malware to deliver and execute malicious payloads. The group’s prior breach of a South Asian embassy in 2019 underscores its focus on high-value isolated networks, indicating a sustained interest in circumventing traditional security boundaries.

Analysts assess these findings as a potential warning for critical infrastructure sectors that rely on air-gapped networks for secure operations. GoldenJackal’s activities expose vulnerabilities in non-internet-facing networks, demonstrating how removable drives—a commonly trusted medium for data transfer—can serve as entry points for sophisticated malware. This tactic highlights the evolving risk landscape for air-gapped networks, particularly in critical infrastructure sectors like satellite ground stations, which often rely on such systems to remain insulated from network-borne threats.

Toolset:

GoldenJackal’s toolkit leverages a modular .NET-based framework designed to operate across both internet-connected and isolated environments. Key capabilities include file exfiltration, credential theft and system information gathering. The toolkit adapts based on network connectivity, executing different actions depending on whether an internet connection is detected. For instance, in networked environments, it downloads additional payloads from command and control (C2) servers, which are then transferred to USB drives. When internet access is unavailable, it executes stored malware directly from the drive, allowing propagation within an air-gapped system.

GoldenJackal’s modular design enables it to split tasks across various components focused on collection, processing, distribution and exfiltration, facilitating a stealthy and highly adaptable approach. This adaptability reflects the group’s comprehensive understanding of secure network architectures and underscores their evolution from conventional network-based attacks to a refined approach suitable for penetrating air-gapped networks.

Threat to Critical Infrastructure:

GoldenJackal’s ability to infiltrate air-gapped networks without direct physical access represents a significant advancement in attack methodologies. Traditionally, air-gapped systems are isolated from network-based attacks, with entry points largely limited to authorized removable media. GoldenJackal bypasses this isolation by infecting user-owned drives with malware, allowing it to reach systems previously out of reach for remote actors. This method eliminates the need for physical access or the social engineering tactics typically required to distribute infected media, thus presenting a more scalable threat to isolated networks.

By challenging long-held assumptions about the security of air-gapped networks, GoldenJackal’s tactics underscore the vulnerability of critical infrastructure. Operational environments—such as water and wastewater systems in the U.S.—have previously been targeted using similar tactics to exploit vulnerabilities in programmable logic controllers and industrial control systems. This attack model may readily extend to satellite ground infrastructures, highlighting the broader risks facing critical sectors reliant on isolated systems for data integrity and operational security.

Potential Implications for the Space Sector:

Though there is no direct evidence of GoldenJackal targeting space assets, the group’s approach is highly relevant to the sector. Satellite control and ground infrastructure systems may limit internet connectivity and utilize secure, removable drives to update systems and transfer data in air gapped environments. These characteristics align closely with GoldenJackal’s toolkit and methods, which could be repurposed to breach similar isolated networks.

In the space domain, ground systems are vital for data transmission and satellite control. The compromise of these systems could disrupt operations, jeopardize data integrity and undermine secure communication. GoldenJackal’s adaptable toolkit and ability to leverage removable media as an attack vector highlight a pressing need for security measures that can anticipate and mitigate such advanced threats. As threat actors continue developing techniques to breach even the most secure network environments, it is imperative for organizations to account for these strategies across both networked and isolated systems.

Conclusion:

GoldenJackal’s campaign exemplifies how APTs are adapting their tactics to breach secure air-gapped networks traditionally viewed as impervious to remote cyber threats. By leveraging removable media as a bridge into isolated networks, GoldenJackal’s methodical approach exploits industry-standard practices for system maintenance and data transfer within air-gapped systems.

This campaign emphasizes the need for updated protocols governing removable media use and continued monitoring of advanced threat tactics targeting critical infrastructure. For sectors like space, which rely heavily on isolated networks, GoldenJackal’s toolkit illustrates the need for proactive defenses and an understanding that APTs are adapting traditional attack techniques to circumvent even the most robust network defenses. Ensuring the security of air-gapped systems remains a crucial objective as threat actors advance their capabilities to reach these highly secure environments.