SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
14 Oct 2014

Russian Sandworm Hack Has Been Spying on Foreign Governments

A cyberespionage campaign believed to be based in Russia has been targeting government leaders and institutions for nearly five years, according to researchers with iSight Partners who have examined code used in the attacks.

The campaign, dubbed “Sandworm” is believed to have been running since 2009, and used a wide-reaching zero-day exploit uncovered by the researchers that affects nearly every version of the Windows operating system released since Windows Vista.

Although iSight only has a small view of the number of victims targeted in the campaign, the victims include among others, the North Atlantic Treaty Organization, Ukrainian and European Union governments, energy and telecommunications firms, defense companies, as well as at least one academic in the US who was singled out for his focus on Ukrainian issues. The attackers also targeted attendees of this year’s GlobSec conference, a high-level national security gathering that attracts foreign ministers and other top leaders from Europe and elsewhere each year.

It appears Sandworm is focused on nabbing documents and emails containing intelligence and diplomatic information about Ukraine, Russia and other topics of importance in the region. But it also attempts to steal SSL keys and code-signing certificates, which iSight says the attackers probably use to further their campaign and breach other systems.

The researchers dubbed the operation “Sandworm” because the attackers make multiple references to the science fiction series Dune in their code. Sandworms, in the Frank Herbert books, are desert creatures on the planet Arrakis who are worshipped as god-like entities.

iSight is not the first to spot the attackers in the wild. Other security firms, including F-Secure in Finland, have uncovered victims over the years. But iSight was able to tie various attacks together to expose commonalities in the five-year campaign. It was encoded references to Dune—which appear in URLs for the attackers’ command-and-control servers—that helped tie some of the attacks together. The URLs include base64 strings that when decoded translate to “arrakis02,” “houseatreides94,” and “epsiloneridani0,” among others.

“Some of the references were very obscure so whoever was writing the malware was a big Dune geek,” says John Hultquist, senior manager for iSight’s Cyber Espionage Threat Intelligence team.

The zero-day vulnerability used in some of the attacks was spotted in early September. The attackers use it to infect victims with malicious attachments, primarily PowerPoint files. iSight Partners has been working with Microsoft to fix the problem, a patch for which is being released today along with a report from the security firm about its findings.

The zero-day affects the way Windows handles PowerPoint files and allows the attackers to execute remote code on targeted systems. When a victim clicks on a malicious PowerPoint file, the exploit in the file installs a malicious executable that opens a backdoor onto the system.

“They’ve had a high degree of success in terms of infiltration based on the use of the zero day,” says Hultquist.

Some Sandworm attacks also use five older vulnerabilities that have already been patched. The exploits are used to install various versions of BlackEnergy, a malicious tool used by cybercriminals. The tool gained notoriety in 2008 when botnets infected with the malware were used to launch denial-of-service attacks against systems in Georgia during a standoff between that country and Russia.

Researchers at iSight say the use of conventional criminal malware has helped the attackers blend in with other operations and remain under the radar, since any victims who uncovered infections probably believed their computers had been infected for a botnet to be used by spammers.

The first variant of BlackEnergy was created by a Russian national named Oleksiuk Dmytro, with limited functionality as a DDoS tool. A subsequent variant included modules for stealing banking credentials, though Dmytro has always denied involvement in developing later versions of the tool. The Sandworm team appears to be using the malware to collect intelligence. The researchers say their use of BlackEnergy indicates a link between the attackers and the criminal underground, although their campaign is more sophisticated.

The researchers have found samples of the malware that are built to communicate through the internal proxy servers on a victim’s network. Many companies install proxies between internal systems and the Internet to protect those internal systems and enforce internet usage policies. Outgoing communication gets routed through the servers, which use private internal IP addresses that are not advertised to the outside world. The researchers found proxy addresses belonging to victim networks coded into the malware to allow them to exfiltrate stolen data to their command-and-control servers. The attackers had obviously done reconnaissance and knew the layout of the internal network to know how to get the stolen data out.

“Some people might think they’re run-of-the-mill criminals,” says Hultquist. “But they’re not going after credentials. They want knowledge that only a few people can use. That’s security-related information and diplomatic information and intelligence on NATO and Ukraine and Poland.”

Two details of Sandworm lead the iSight Partners to conclude it’s originating from Russia, possibly as a state-sponsored operation. First, files used for the command-and-control servers are written in Russian; and second, the victims targeted and the type of information used to lure them into clicking on malicious attachments focus on topics that would be of interest to Russia’s adversaries. One attachment purports to be a list of pro-Russia “terrorists” that the victim is invited to view.

Other victims have been targeted with emails purporting to provide information about military and intelligence operations directed against Russia. In 2013, NATO was targeted with a phishing document focused on European diplomacy, and a Polish energy firm was targeted with an attachment purporting to be about shale gas. Earlier this year, high-level government officials attending the GlobSec conference in Bratislava, Slovakia, were targeted with a malicious email purporting to come from conference organizers. Ukrainian Prime Minister Arseniy Yatsenyuk and Vitali Klitschko, former heavyweight boxing champion and a candidate for the post of mayor of Kiev, were scheduled to attend the conference but cancelled at the last minute.

Tags:
Sandworm hackers NATO USA Russia PowerPoint
Source:
Wired
2635
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015