Sandworm : Russia backed cyber criminals targeted EU, NATO

NATO, European Union and European Government websites compromised

A group of cyber criminals supposedly from Russia have been found using a previously unknown flaw in Microsoft’s Windows operating system to attack and spy on government agencies across Europe. This zero day attack apparently gave them access to all versions of Windows from Vista onwards. ironically, the only Windows version not susceptible to this attack turns out to be Windows XP which is no longer supported by Microsoft.

The cyber criminals are thought to be of Russian origin because of the various signatures seen on the malware affecting the systems.

Sandworm : Russia backed cyber criminals targeted EU, NATO

Team Sandworm

This security loophole was uncovered by cyber-intelligence firm iSight Partners. They dubbed this group of cyber criminals as Sandworm due to the constant reference of “Frank Herbert’s Dune” in their code. The espionage was perpetrated since August and is still on.

Thankfully, the technical details (PoC) of the loophole were held back from the public eye till Microsoft was ready with the patch. Microsoft  will be release the patch for this vulnerability along with their other patches today.

This is very critical considering that it would not take long for malware using a flaw to appear once a flaw becomes known. The victims of this cyber espionage include NATO, the European Union, Ukraine, Poland and a multi national communications company.

The Attack

Sandworm targeted machines using a malicious PowerPoint presentation. When the presentation was opened, it caused an executable file to run which would open a backdoor into the system. Using this backdoor, the machine could now be accessed remotely by the cyber criminals to spy on the activities of that particular system.

It is not been made known exactly what data has been stolen, but looking at the victim list, one can guess very fairly what information was targeted.  All the victims of this crime are conveniently related to the ongoing Ukrainian conflict and it is very likely that this conflict started the espionage in  the first place.  In addition to diplomatic and sensitive information, Sandworm might have also targeted SSL keys and code-signing certificates, both useful to launch attack in  the future.

Russian Link

Why we say this group can be linked to the Russian state ? The attack was based on a flaw of an operating system. It is not a cakewalk to find out loopholes in an OS, especially one of the scale on Windows. It requires an abundance of resources (both human and technical) and efforts, which points to a state funding. Files in Russian have also been found on the servers used by Sandworm . In addition to this, why would this team focus on cyber espionage ? A hacker would, under normal circumstances, indulge in cyber crime. What good would top secret state information do to an individual ? The only entity that can logically benefit from such level of espionage seems to be a government. Since all the targets are directly linked with the Ukrainian conflict, it doesn’t take time to add 2 and 2 together. And of course, such intel during a ongoing war can be priceless.

Other attacks using Sandworm

The team even seems to have targeted known academics with interest in the Ukrainian conflict. They also targeted a few Ukrainian government officials systems utilising spear-phishing techniques. Spear phishing is an e-mail spoofing fraud attempt that targets a specific organization, seeking unauthorized access to confidential data. Spear phishing attempts are not typically initiated by “random hackers” but are more likely to be conducted by perpetrators out for financial gain, trade secrets or military information.  The malicious messages claimed to have information gathered by Ukrainian security services on Russian sympathizers, such as a list of pro-Russian extremists.

Back Energy

As per iSight report the previous activity of this group involves the Back Energy exploit. Back Energy started out as a kit used to create botnets to launch Distributed Denial of Service (DDoS) attacks which later on evolved to become a tool used to commit banking frauds. DDoS to cyber espionage is quite a big promotion. They were caught in the act by F-Secure researchers when some samples of Back Energy began harvesting data from the Ukrainian government was found in the wild. F-Secure labelled them “Quedach” and informed the concerned parties about the compromise.

The threat doesn’t seem to be over with the patch release by Microsoft. With the data they have collected, the agencies and governments supporting anti Russian Ukrainian regime better be ready for a long drawn cyber war.

Source : iSIGHT Partners

LEAVE A REPLY

Please enter your comment!
Please enter your name here