Microsoft and security firm iSight Partners say Russian hackers are exploiting a vulnerability in all active versions of Windows to spy on NATO, the Ukrainian government, Western Europe governments, European telecommunications companies, a U.S. academic organization and energy firms.
The band of hackers named Sandworm has been spying on high-ranking officials through the doors opened by the zero-day vulnerability, a previously unknown loophole that had yet to be patched when security watchdogs learned of the issue.
iSight partners says it's been monitoring Sandworm since 2013, though the team of hackers appear to have been around since 2009. Sandworm has been using a approach known as spear-phishing, in which the cybercriminals dangle Trojan documents to lure in targets.
"Many of the lures observed have been specific to the Ukrainian conflict with Russia and to broader geopolitical issues related to Russia," says iSight Partners. "The team has recently used multiple exploit methods to trap its targets, including the use of BlackEnergy crimeware, exploitation of as many as two known vulnerabilities simultaneously, and this newly observed Microsoft Windows zero-day."
While Sandworm is said to be comprised of Russian nationalists, there isn't enough evidence to tie the group to the Kremlin, according to security experts. As a misdirection, the hackers used a piece of cookie-cutter malware in concert with the spear-phishing attempts,
"[Without enough supporting evidences, security analysts may] just think that this is just a run-of-the-mill fraud or spam or 'DDoS bot' when it's really something more dangerous," said John Hultquist, the senior manager at iSight.
While the problem was discovered earlier, iSight held off announcing it until Microsoft had developed a patch for the affected Windows servers. The patch for this vulnerability is available as part of the company's Patch Tuesday updates on Oct. 14, CVE-2014-4114.
iSight isn't willing to disclose the exact pieces of evidence that brought them to the determination that the perpetrators are Russian, but the targets and lures are some of the overt indicators that helped direct the security firm's eyes in the direction of Sandworm. As for the targets of the attacks, all of them were victimized to some degree, according to iSight.
"Though we have not observed details on what data was exfiltrated in this campaign, the use of this zero-day vulnerability virtually guarantees that all of those entities targeted fell victim to some degree," says iSight partners. "We immediately notified targeted entities, our clients across multiple government and private sector domains and began working with Microsoft to track this campaign and develop a patch to the zero-day vulnerability."
Sandworm's zero-day exploit was revealed roughly a week after another ring of cybercriminals launched a sophisticated string of attacks on ATMs across Europe, Asia and Latin America. After malware was loaded onto ATMs via CD-ROMs, the machines opened up to cardless commands for cash from the hackers two days of the week.