>samit_hota
Back to adversary profiles
G0041HighDormant

Strider (ProjectSauron): A Profile of a Sophisticated Cyber Espionage Group

Samit Hota·
Suspected Origin
Unknown
Motivation
Espionage, Intelligence Gathering
Aliases
ProjectSauron
Target Sectors
Government, Military, Embassies, Financial, Telecommunications, Scientific Research, Airlines
Associated Malware
Remsec
#threat-actor#g0041

Overview

Strider, also known by its alias ProjectSauron, is a highly advanced and elusive threat group identified by security researchers in 2016, though its activities date back to at least June 2011. This group, designated G0041 in the MITRE ATT&CK framework, is widely believed to be nation-state sponsored due to its significant technical sophistication, selective targeting, and clear motivation for long-term cyber espionage and intelligence gathering rather than financial gain. While a definitive country of origin remains unconfirmed, some analyses have tentatively linked Strider to U.S. intelligence operations, with one source explicitly listing “USA” as the country of origin.

Strider primarily focuses on collecting high-value intelligence by compromising key entities across various critical sectors. Their operations have been observed in Russia, China, Sweden, Belgium, Iran, and Rwanda, with mentions of an airline in China and an embassy in Belgium among their specific targets. The group’s targets span governments, military organizations, embassies, financial institutions, telecommunications providers, and scientific research centers. A particular interest lies in communication encryption software used by targeted governmental organizations, with the goal of stealing encryption keys, configuration files, and critical infrastructure server IP addresses. The name “ProjectSauron” itself stems from references to “Sauron” found within the group’s Lua scripts, nodding to the all-seeing antagonist in The Lord of the Rings.

Tactics & Techniques

Strider is distinguished by its meticulous operational security and custom-tailored approach, designed to avoid detection and hinder attribution. A hallmark of their campaigns is the customization of artifacts for each target, effectively reducing the value of traditional Indicators of Compromise (IOCs for other victims. This bespoke methodology underscores the group’s significant resources and technical prowess.

Their tactics and techniques (TTPs) demonstrate a deep understanding of network environments and a commitment to stealth and persistence. Initial infection vectors are not definitively known, but once access is established, Strider employs several sophisticated methods for persistence and privilege escalation. One notable technique involves registering a persistence module on domain controllers as a Windows Local Security Authority (LSA) password filter. This allows them to harvest administrative passwords in cleartext whenever a domain, local user, or administrator logs in or changes a password.

For data exfiltration, especially from air-gapped networks, Strider utilizes a specialized module that transfers data using custom-prepared USB storage drives. These drives contain hidden, custom-encrypted partitions that are not recognized by standard operating systems. Additionally, the group makes extensive use of the DNS protocol for data exfiltration and real-time status reporting, often through DNS tunneling techniques. Lateral movement within compromised networks often leverages legitimate software distribution channels.

The group’s malware frequently incorporates robust stealth features, such as deploying much of its functionality directly over the network, meaning it resides only in a computer’s memory and is never stored on disk. This memory-resident approach makes detection significantly more challenging for traditional antivirus solutions. Furthermore, several components are delivered as executable Binary Large Objects (BLOBs), which are inherently more difficult for security software to analyze.

Notable Campaigns

Strider’s activities were brought to light in August 2016 through independent research published by Symantec (who named the group “Strider”) and Kaspersky Lab (who named their campaign “ProjectSauron”). Prior to this public disclosure, the group had maintained a remarkably low profile, operating undetected for at least five years, since 2011.

Symantec’s investigations uncovered evidence of 36 infections across seven distinct organizations. These included various entities in Russia, a Chinese airline, an organization in Sweden, and an embassy located in Belgium. Separately, Kaspersky Lab identified over 30 organizations impacted by ProjectSauron, primarily in Russia, Iran, and Rwanda. They also noted potential infections in Italian-speaking countries.

Notably, security researchers observed that at least one of Strider’s targets had previously been compromised by Regin, another highly sophisticated state-sponsored Trojan associated with extensive cyber espionage operations. This overlap suggests either a shared targeting interest with other elite groups or a possible collaboration, though no definitive conclusions have been drawn.

Associated Malware & Tools

The primary malware strain associated with Strider is Remsec, sometimes referred to as Backdoor.Remsec. Remsec is a sophisticated, modular Windows infostealer designed explicitly for spying. Its capabilities include establishing backdoors, logging keystrokes, and stealing files from infected systems, as well as facilitating lateral movement within a network.

Remsec is characterized by its use of the Lua scripting language for many of its modules, a relatively uncommon technique that aids in evading detection. The Remsec framework encompasses various modules, including network loaders, host loaders, network listeners, different types of pipe backdoors, an HTTP backdoor with command-and-control (C2) server addresses, and a keylogger. The platform also employs strong encryption algorithms such as RC6, RC5, RC4, AES, and Salsa20 for its modules and network communications, further enhancing its stealth and resilience. The designation “ProjectSauron” is also used to refer to the malware platform (S0125) itself, highlighting its comprehensive nature.

Current Status

Strider (ProjectSauron) has not been publicly reported with new campaigns or activity since its discovery and subsequent reporting in 2016. According to analysis at the time, forensic evidence indicated the APT was operational until at least April 2016. Following public exposure, researchers observed the group uninstalling their malware from known victims, suggesting a rapid attempt to cover their tracks and potentially ceasing operations at that time. While there’s always a possibility that a highly sophisticated group could re-emerge under new guises or remain undetected, the lack of reported activity for nearly a decade suggests that Strider is currently dormant.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call