Russian hackers exploited a bug in Microsoft Windows and Windows Server 2008 and 2012 software to spy on computers used by NATO, the European Union, Ukraine and companies in the energy and telecommunications sectors, according to cyber intelligence firm iSight Partners. Microsoft is making a patch for this vulnerability available as part of patch updates on the 14th – CVE-2014-4114.
Visibility into this campaign indicates targeting across the following domains, according to iSIGHT:
- Ukrainian government organizations
- Western European government organization
- Energy Sector firms (specifically in Poland)
- European telecommunications firms
- United States academic organization
iSIGHT attributed this particular cyber-espionage campaign to anintrusion team that iSIGHT has dubbed 'Sandworm Team' based on its use of encoded references to the classic science fiction series Dune in command and control URLs and various malware samples.
The team has been previously referred to as Quedach by F-Secure, which detailed elements of this campaign in September 2014 but only captured a small component of the activities and failed to detail the use of the zero-day vulnerability.
iSIGHT says the Sandworm Team’s activities started around 2009. The team prefers the use of spear-phishing with malicious document attachments to target victims. Many of the lures observed have been specific to the Ukrainian conflict with Russia and to broader geopolitical issues related to Russia. The team has recently used multiple exploit methods to trap its targets including the use of BlackEnergy crimeware, exploitation of as many as two known vulnerabilities simultaneously, and this newly observed Microsoft Windows zero-day.
In late August, while tracking the Sandworm Team, iSIGHT discovered a spear-phishing campaign targeting the Ukrainian government and at least one United States organization. Notably, these spear-phishing attacks coincided with the NATO summit on Ukraine held in Wales.
On September 3rd, the spear-phishing attacks relied on the exploitation of a zero-day vulnerability impacting all supported versions of Microsoft Windows (XP is not impacted) and Windows Server 2008 and 2012. A weaponized PowerPoint document was observed in these attacks.