This hush-hush hacker group has been quietly spying since 2011

Strider hackers reference the all-seeing eye of Sauron in their 'nation-state level' malware, which has been used to steal files from organisations across the globe.
Written by Danny Palmer, Senior Writer

Hackers are casting the eye of Sauron on selected targets.

Image: iStock

Cybersecurity researchers at Symantec have discovered a previously-unknown hacker group they have dubbed 'Strider', which has been infecting organisations and individuals that would be of potential interest to a nation state's intelligence services.

See also

    The group's Remsec malware appears to mainly target organisations and individuals in Russia, but has also infiltrated the systems of an airline in China, an embassy in Belgium, and an unspecified organisation in Sweden. The malware is very much designed to spy on its targets: once it has infected a system, it opens a backdoor through which it can log keystrokes and steal files.

    It's thought the highly-targeted malware -- only 36 infections in five years -- has been in operation since October 2011, avoiding detection by the vast majority of antivirus systems for almost five years through a number of features designed to ensure stealth.

    Several of the components which make up Remsec are built in the form of a Binary Large Object (BLOB), collections of binary data which are difficult for security software to detect. In addition, the malware's functionality is deployed across a network which means it isn't stored on disk, another factor which makes it difficult to detect.

    Many of the Remsec modules are written in the Lua programming language, an embeddable scripting language which can be used to perform various functions and processes -- in this case including keylogging and it's this code which contains references to the all-seeing Eye of Sauron from the Lord of the Rings.


    A line of Remsec code referencing Sauron

    Image: Symantec

    It's because of this use of Lua modules that researchers believe that Strider may have links to the Flamer hacking group, which also uses this style of programming in its malware. There may also be a connection to the infamous Regin malware, as one of Remsec's victims had previously been infected with this line of malicious software.

    Due to the advanced nature of the malware, cybersecurity researchers believe that the Strider group are very technically competent developers of malicious software and could even be from a "nation-state level attacker".


    Editorial standards