MANY ORGANIZATIONS STORE and process sensitive
information within their computer networks.
Naturally, such networks are the preferred targets
of adversaries due to the valuable information they
hold. Securing computer networks is a complex task
involving the installation of endpoint protection,
maintaining firewalls, configuring intrusion detection
and intrusion prevention systems (IDSs and IPSs),
and so on. However, regardless of the level of
protection, a persistent attacker will eventually find a
way to breach a computer network connected to the
Internet. Consequently, if a network stores sensitive or
classified information, an ‘air-gap’ approach is often
used to prevent such a breach.
Air-gapped networks have no physical or logical
connection to public networks (such as, the Internet).
Such networks are often used in cases where the
information stored in, or generated by, the system is
too sensitive to risk data leaks, for example, military
networks such as the Joint Worldwide Intelligence
Communications System (JWICS).
gapped networks are also commonly
used in critical infrastructure and control
systems where breaching incidents can
have catastrophic results, however such
networks are not limited to military or
critical infrastructures. Stock exchanges,
insurance companies, biomedical manu-
facturers, and a wide range of industries
use isolated networks in their IT environ-
30 These networks maintain intel-
lectual property, financial data, trade
secrets, confidential documents, and
personal information, and air-gap isola-
tion is aimed at protecting this data.
Breaching the air-gap vs. bridging
the air-gap. Despite the physical isola-
tion and lack of external connectivity, at-
tackers have successfully compromised
such networks in the past. The most fa-
mous cases are Stuxnet and Agent.btz,
although other incidents have been re-
ported from time to time.
43 Motivated at-
tackers can breach air-gapped networks
in different ways. In recent years, some
of the tactics attackers have used in order
to achieve this goal have been exposed. A
supply chain attack is a method in which
attackers load malware onto computer
systems in the supply network. Other tac-
tics include infecting a USB drive, which
is then used within the targeted network
by a deceitful or malicious insider with
the appropriate credentials. Several re-
cent incidents have shown that these
The challenge of combatting malware designed
to breach air-gap isolation in order to leak data.
BY MORDECHAI GURI AND YUVAL ELOVICI
˽ “Air-gap” in cyber security refers
to a situation in which a sensitive
computer, classified network, or critical
infrastructure is intentionally isolated
from public networks such as the Internet.
˽ While breaching air-gapped networks
has been proven feasible in recent
years, data exfiltration from air-gapped
networks is a challenging phase of an
advanced cyber attack.
˽ We focus on a type of malware that
allows attackers to overcome air-gap isolation in order to leak data.
We survey various covert channels
proposed over the years, examine their
characteristics and limitations, and
discuss the relevance of these threats
and the likelihood of related cyber
attacks in the modern IT environment. Air-gap research page: https://cyber.bgu.ac.il//advanced-cyber/airgap