Russian ‘Sandworm’ Hackers Targeted NATO, EU, Poland

Attackers have been using a zero-day Windows flaw to infiltrate government targets for at least the past five years, iSight said

Hackers believed to be based in Russia have been targeting organisations including NATO, Ukrainian and European governments in a campaign going back at least to 2009, researchers have revealed.

In a report, it was revealed that one of the vulnerabilities used by the hackers to attack target systems was a previously undiscovered flaw affecting all supported versions of Windows, as well as Windows Server 2008 and 2012, according to iSight Partners, which discovered the bug. Microsoft is to release a patch for the flaw as part of its regular patches on Tuesday. Ironically, the bug doesn’t affect Windows XP, which Microsoft no longer supports.

St. Basil's Cathedral on Red square, Moscow, Russia

Espionnage targets

The flaw was used to target, among others, NATO, the Ukrainian and EU governments, energy and telecommunications firms, defence firms and a US academic who focuses on Ukrainian issues. Visitors to this year’s GlobSec national security conference, attended by foreign ministers and other high-level politicians, were also targeted, iSight said.

iSight called the campaign Sandworm because of coded references to Frank Herbert’s Dune series of science-fiction novels found in the URLs for the attackers’ command-and-control servers, sandworms being creatures that figure prominently in that series. The references were one of the indicators that allowed iSight to tie various attacks together and deduce that they were part of the same campaign.

The campaign focuses on stealing documents and emails containing intelligence information about NATO, Poland, Ukraine and Russia, as well as SSL keys and code-signing certificates that could help breach other systems, iSight said.


The firm noted that some of Sandworm’s activities have previously come to light.

“The team has been previously referred to as Quedach by F-Secure, which detailed elements of this campaign in September 2014, but only captured a small component of the activities and failed to detail the use of the zero-day vulnerability,” iSight said in a statement.

Various indicators suggest the campaign is based in Russia, iSight said, such as the use of Russian in files on the command-and-control servers and the fact that victims are lured in using documents that offer information that would be of interest to Russia’s adversaries, such as, in one case, a list of pro-Russian “terrorists”.

The zero-day flaw affects the way Windows handles PowerPoint files. When a user clicks on a malicious file, the exploit installs an executable that opens a backdoor, allowing further code to be installed. Some attacks also use five older bugs that have already been patched, iSight said.

The exploits install a criminal tool called Black Energy that is commonly used by spammers and bank fraud thieves, iSight said. The Sandworm attackers seem to employ standard criminal malware partly as a way of blending in with more conventional attacks.

Are you a security pro? Try our quiz!