Categories: SecurityWorkspace

Russian ‘Sandworm’ Hackers Targeted NATO, EU, Poland

Hackers believed to be based in Russia have been targeting organisations including NATO, Ukrainian and European governments in a campaign going back at least to 2009, researchers have revealed.

In a report, it was revealed that one of the vulnerabilities used by the hackers to attack target systems was a previously undiscovered flaw affecting all supported versions of Windows, as well as Windows Server 2008 and 2012, according to iSight Partners, which discovered the bug. Microsoft is to release a patch for the flaw as part of its regular patches on Tuesday. Ironically, the bug doesn’t affect Windows XP, which Microsoft no longer supports.

Espionnage targets

The flaw was used to target, among others, NATO, the Ukrainian and EU governments, energy and telecommunications firms, defence firms and a US academic who focuses on Ukrainian issues. Visitors to this year’s GlobSec national security conference, attended by foreign ministers and other high-level politicians, were also targeted, iSight said.

iSight called the campaign Sandworm because of coded references to Frank Herbert’s Dune series of science-fiction novels found in the URLs for the attackers’ command-and-control servers, sandworms being creatures that figure prominently in that series. The references were one of the indicators that allowed iSight to tie various attacks together and deduce that they were part of the same campaign.

The campaign focuses on stealing documents and emails containing intelligence information about NATO, Poland, Ukraine and Russia, as well as SSL keys and code-signing certificates that could help breach other systems, iSight said.

‘Quedach’

The firm noted that some of Sandworm’s activities have previously come to light.

“The team has been previously referred to as Quedach by F-Secure, which detailed elements of this campaign in September 2014, but only captured a small component of the activities and failed to detail the use of the zero-day vulnerability,” iSight said in a statement.

Various indicators suggest the campaign is based in Russia, iSight said, such as the use of Russian in files on the command-and-control servers and the fact that victims are lured in using documents that offer information that would be of interest to Russia’s adversaries, such as, in one case, a list of pro-Russian “terrorists”.

The zero-day flaw affects the way Windows handles PowerPoint files. When a user clicks on a malicious file, the exploit installs an executable that opens a backdoor, allowing further code to be installed. Some attacks also use five older bugs that have already been patched, iSight said.

The exploits install a criminal tool called Black Energy that is commonly used by spammers and bank fraud thieves, iSight said. The Sandworm attackers seem to employ standard criminal malware partly as a way of blending in with more conventional attacks.

Are you a security pro? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Smartphone Shipments To Rebound In 2024, Says Counterpoint

Relief for Apple, Samsung etc after smartphone shipments are predicted to recover in 2024, as…

32 mins ago

Ericsson To Cut 1,200 Jobs in Sweden Amid ‘Challenging’ Market

Swedish telecoms giant Ericsson blamed “challenging mobile networks market” and “further volume contraction” for job…

22 hours ago

FTX’s Sam Bankman-Fried Sentenced To 25 Years In Prison For $8bn Fraud

Dramatic downfall. Sam Bankman-Fried sentenced to 25 years in prison for masterminding $8bn fraud that…

23 hours ago

Elon Musk Orders FSD Demo For Every Tesla US Sale

Fallout avoidance? Tesla buyers in the US must be shown how to use the FSD…

23 hours ago

Amazon Pumps Another $2.75 Billion Into Anthropic

Amazon completes its $4bn investment into AI firm Anthropic, after providing an additional $2.75bn in…

1 day ago