In eleven new documents published by Wikileaks, there is an explanation of a piece of software known as "Brutal Kangaroo." This software suite is used to target "air-gapped" computers by using internet-connected networks within the same organization.

Quartz explains how it all works:

Brutal Kangaroo works by creating a digital path from an attacker to an air-gapped computer and back. The process begins when a hacker remotely infects an internet-connected computer in the organization or facility being targeted. Once it has infected that first computer, what the documents refer to as the "primary host," Brutal Kangaroo waits. It can't spread to other systems until someone plugs a USB thumb drive into that first one.

"Emotional Simian," a tool for packaging malware described in the Brutal Kangaroo documents (WikiLeaks)

Once someone does, malware specific to the make and model of the thumb drive is copied onto it, hiding in modified LNK files that Microsoft Windows uses to render desktop icons, and in DLL files that contain executable programs. From this point, Brutal Kangaroo will spread further malware to any system that thumb drive is plugged into. And those systems will infect every drive that's plugged into them, and so on, and the idea is that eventually one of those drives will be plugged into the air-gapped computer.

The major flaw in the concept of isolating sensitive computers is that the air gap around them can only be maintained if no one ever needs to copy files onto or off of them. But even for specialized systems, there are always updates and patches to install, and information that has to be fed in or pulled out. It's common knowledge among IT specialists that external hard drives are an obvious target for anyone seeking to break the air gap, and precautions are presumably taken in facilities with diligent IT specialists. Those precautions, however, can be subverted with exploitations of obscure vulnerabilities, and sometimes mistakes simply happen.

If a thumb drive infected with Brutal Kangaroo is plugged into an air-gapped computer, it immediately copies itself onto it. If a user tries to browse the contents of the infected drive on that computer, it will trigger additional malware that will collect data from the computer. As users continue plugging the drive into connected and disconnected computers, a relay is formed, ultimately creating a slow path back to the hacker, through which data copied from the air-gapped computer will be delivered if everything goes according to plan.