Russian cyber-spies use Windows zero-day to hit NATO

A Russian cyber-espionage group has used a dangerous Microsoft Windows zero-day bug - being patched today - to attack targets including NATO, a western European government, a French telecoms firm, Polish energy companies and a US academic organisation.

Russian cyber-spies use Windows zero-day to hit NATO
Russian cyber-spies use Windows zero-day to hit NATO

The ‘Sandworm' spy group was exposed this week by security firm iSIGHT Partners.

iSIGHT says it has been operating since at least 2009 – but on 3 September Sandworm started using a lethal zero-day bug that affects all supported versions of Microsoft Windows.

In a tense stand-off, iSIGHT and Microsoft kept quiet about the zero-day for six weeks, until the patch could be released, because they had only seen the Sandworm group exploit it and had warned all the victims involved.

iSIGHT admits that if it had seen a surge in other attackers using the bug in that time, it would have been forced to release its information ahead of the patch.

Because of the bug's wide-ranging nature, iSIGHT is urging “the application of this patch should be done as soon as humanly possible”, adding: “Microsoft is detailing a list of workarounds to the vulnerability as part of its bulletin – these workarounds should help mitigate the risk of exploitation while the patching process unfolds for your firm.”

The zero-day (CVE-2014-4114) affects all supported versions of Windows, from Vista SP2 to Windows 8.1, as well as Windows Server versions 2008 and 2012 – but ironically not the now unguarded Windows XP, which went end-of-life in April.

It exploits a flaw in the way Windows handles INF files - like PowerPoint documents – which allows files from untrusted sources to be downloaded, enabling attackers to plant their own malware code on the victim's computer.

The Sandworm group previously used other ‘exploits', iSIGHT says. It attacked the NATO alliance back in December 2013, and this May targeted attendees of the GlobSec security conference, which includes foreign ministers and other high-level government officials from Europe and elsewhere.

In June, Sandworm targeted a Western European government, a Polish energy firm using CVE-2013-3906, and a French telecoms company using a variant of the BlackEnergy malware.

Two months later and coinciding with the NATO summit in Wales, it used a spear-phishing campaign to attack the Ukrainian Government and at least one US organisation.

Then on 3 September, iSIGHT spotted it launching spear-phishing attacks using the Windows zero-day, to plant a weaponised PowerPoint document.

iSIGHT's Stephen Ward warned in his blog that other attackers and victims in other sectors could emerge. “It is critical to note that there is a potential for broader targeting from this group and potentially other threat actors using this zero-day,” he said.

Commenting on the revelations, Tenable EMEA technical director Gavin Millard agreed that the zero-day used by Sandworm is highly dangerous, and called for vigilance.

He told journalists by email: "Whilst the technical detail of the Sandworm vulnerability has thankfully been held back until the patch was ready from Microsoft, if the descriptions of the bug are accurate it could be a major attack vector for hackers to infiltrate corporate systems for further exploitation and exfiltration of confidential information.

“When zero-day exploits associated with common file formats are exposed, malware to take advantage of it quickly follows.”

Ward called the attacks part of “growing drum beat of cyber-espionage activity out of Russia” and said iSIGHT is actively tracking at least five distinct cyber espionage teams.

He explained: “We recently disclosed the activities of one of those teams - dubbed Tsar team - surrounding the use of mobile malware. This team has previously launched campaigns targeting the US and European intelligence communities, militaries, defence contractors, news organisations, NGOs and multilateral organisations. It has also targeted jihadists and rebels in Chechnya.”

Picking up on this theme, Mark Sparshott, EMEA director at Proofpoint, said: “Russian-based cyber-crime and cyber-espionage is a major concern for the Europe and the US as it is on the rise.”

In an email to SCMagazineUK.com, he added: “Critically Sandworm's use of targeted phishing for distribution and attachment-based zero-day exploits to bypass email and endpoint AV checks reinforces the need for at-risk organisations to deploy a new generation of advanced malware prevention, detection and response toolsets and processes.”

iSIGHT dubbed the attackers ‘Sandworm' because it refers to the science fiction series ‘Dune' in its code, and ‘sandworms' figure heavily in Dune.

The group was previously called Quedagh by F-Secure, which detailed some of its attacks last month although not the zero-day. ESET also spotted the group last month using the Black Energy malware to attack around 100 government organisations and businesses in Poland and Ukraine, as reported by SC.

iSIGHT believe the group is from Russia because its command-and-control server files are written in Russian and the ‘lures' used are on subjects of interest to Russia's political enemies.

Ward said: The team prefers the use of spear-phishing with malicious document attachments to target victims. Many of the lures observed have been specific to the Ukrainian conflict with Russia and to broader geopolitical issues related to Russia.”

He added: “The team has recently used multiple exploit methods to trap its targets including the use of BlackEnergy crimeware, exploitation of as many as two known vulnerabilities simultaneously, and this newly observed Microsoft Windows zero-day.”

Tenable's Millard commented on this: "What's most interesting with Sandworm is not the attack vector itself but the lack of detection of subsequent indicators of compromise in the organisations allegedly affected by it. The need to continuously monitor the environment to detect malicious activities and indicators of misuse is paramount to defend against this or any other zero-day exploit."