Categories: SecurityWorkspace

Russian ‘Sandworm’ Hackers Targeted NATO, EU, Poland

Hackers believed to be based in Russia have been targeting organisations including NATO, Ukrainian and European governments in a campaign going back at least to 2009, researchers have revealed.

In a report, it was revealed that one of the vulnerabilities used by the hackers to attack target systems was a previously undiscovered flaw affecting all supported versions of Windows, as well as Windows Server 2008 and 2012, according to iSight Partners, which discovered the bug. Microsoft is to release a patch for the flaw as part of its regular patches on Tuesday. Ironically, the bug doesn’t affect Windows XP, which Microsoft no longer supports.

Espionnage targets

The flaw was used to target, among others, NATO, the Ukrainian and EU governments, energy and telecommunications firms, defence firms and a US academic who focuses on Ukrainian issues. Visitors to this year’s GlobSec national security conference, attended by foreign ministers and other high-level politicians, were also targeted, iSight said.

iSight called the campaign Sandworm because of coded references to Frank Herbert’s Dune series of science-fiction novels found in the URLs for the attackers’ command-and-control servers, sandworms being creatures that figure prominently in that series. The references were one of the indicators that allowed iSight to tie various attacks together and deduce that they were part of the same campaign.

The campaign focuses on stealing documents and emails containing intelligence information about NATO, Poland, Ukraine and Russia, as well as SSL keys and code-signing certificates that could help breach other systems, iSight said.

‘Quedach’

The firm noted that some of Sandworm’s activities have previously come to light.

“The team has been previously referred to as Quedach by F-Secure, which detailed elements of this campaign in September 2014, but only captured a small component of the activities and failed to detail the use of the zero-day vulnerability,” iSight said in a statement.

Various indicators suggest the campaign is based in Russia, iSight said, such as the use of Russian in files on the command-and-control servers and the fact that victims are lured in using documents that offer information that would be of interest to Russia’s adversaries, such as, in one case, a list of pro-Russian “terrorists”.

The zero-day flaw affects the way Windows handles PowerPoint files. When a user clicks on a malicious file, the exploit installs an executable that opens a backdoor, allowing further code to be installed. Some attacks also use five older bugs that have already been patched, iSight said.

The exploits install a criminal tool called Black Energy that is commonly used by spammers and bank fraud thieves, iSight said. The Sandworm attackers seem to employ standard criminal malware partly as a way of blending in with more conventional attacks.

Are you a security pro? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Northvolt Mulls US Bankruptcy Protection – Report

Troubled battery maker Northvolt reportedly considers Chapter 11 bankruptcy protection in the United States as…

2 days ago

FTC Plans Investigation Into Microsoft Cloud Business – Report

Microsoft's cloud business practices are reportedly facing a potential anti-competitive investigation by the FTC

2 days ago

Programmer Sentenced To Five Years In Prison For Bitcoin Laundering

Ilya Lichtenstein sentenced to five years in prison for hacking into a virtual currency exchange…

2 days ago

Hate Speech Watchdog CCDH To Quit Musk’s X

Target for Elon Musk's lawsuit, hate speech watchdog CCDH, announces its decision to quit X…

3 days ago

Meta Fined €798m Over Alleged Facebook Marketplace Violations

Antitrust penalty. European Commission fines Meta a hefty €798m ($843m) for tying Facebook Marketplace to…

3 days ago

Elon Musk Rebuked By Italian President Over Migration Tweets

Elon Musk continues to provoke the ire of various leaders around the world with his…

3 days ago