A group of Russian hackers, probably working for the government, has been exploiting a previously unknown flaw in Microsoft’s Windows operating system to spy on NATO, the Ukrainian government, a U.S. university researcher and companies in the energy and telecommunications sectors, according to a report by iSight Partners, a Dallas-based cybersecurity firm.
If iSight reports are to be believed, the group has been active since 2009and they have been monitoring their activities since 2013. Their latest ‘targets’ include a Polish energy firm, a Western European government agency and a French telecommunications firm.
“This is consistent with espionage activity,” said iSight Senior Director Stephen Ward. “All indicators from a targeting and lures perspective would indicate espionage with Russian national interests.”
There is no indication that the group was behind a recent spate of intrusions into U.S. banks, including JPMorgan Chase, Ward said. Current and former U.S. intelligence officials say the capabilities of Russian hackers are on par with those of the United States and Israel.
Your targets almost certainly have to do with your interests. We see strong ties to Russian origins here,” John Hulquist, head of iSight’s cyberespionage practice, told Reuters, adding that he believed the hackers were supported by a country because they were involved in espionage, not cyber crime.
According to Drew Robinson, a technical analyst at iSight, the targets of the spying campaign partly suggest that Russia could be the nation supporting the espionage. The command server, which was located in Germany, also exposed Russian-language computer files that had been uploaded by the hackers.
“This is consistent with espionage activity,” The Washington Post quoted iSight Senior Director Stephen Ward as saying. “All indicators from a targeting and lures perspective would indicate espionage with Russian national interests.”
According to iSight, the Sandworm Team prefers to use spear-phishing — that targets users via fraudulent emails — with malicious attachments to target victims.
On Sept. 3, researchers at iSight discovered that the spear-phishing attacks relied on the exploitation of a zero-day vulnerability affecting all supported versions of Microsoft Windows, from Vista SP2 to Windows 8.1, and Windows Server 2008 and 2012. A zero-day vulnerability is a software loophole that is unknown to the vendor. Hackers exploit this bug to breach a system before the vendor takes measures to fix it.
“We immediately notified targeted entities, our clients across multiple government and private sector domains and began working with Microsoft to track this campaign and develop a patch to the zero-day vulnerability,” the iSight report said.
“Although the vulnerability impacts all versions of Microsoft Windows — having the potential to impact an enormous user population — from our tracking it appears that its existence was little known and the exploitation was reserved to the Sandworm team.” By disclosing the security flaw on the eve of Patch Tuesday, iSight believes that the possibility of other hacking teams exploiting the zero-day vulnerability has been minimized.