Russian Hackers Organises a 5-Year Old Cyber-Espionage Campaign

Researchers of iSIGHT Partners examined the code used in the attacks and observed that government leaders and institutions have been targeted by a cyber-espionage campaign apparently based in Russia since last five years.

Security researchers of iSIGHT said that the team known as Sandworm has been active since 2009 and has been using Windows vulnerability CVE-2014-4114 in concurrence with a series of other flaws to compromise users of government agencies, academic institutions, NATO, a telecom, defense and energy firms.

The researchers named the operation as "Sandworm" as the attackers make numerous references to the famous 1960s science fiction epic Dune in their code.

The attackers use spear-phishing emails to target and lure users into opening a rigged PowerPoint file containing the exploit code for the vulnerability. Once the exploit code fires, it downloads the malware known as Black Energy which starts collecting sensitive data for exfiltration.

Researchers said that the malware steals SSL keys, sensitive documents and code-signing certificates along with other items. The Windows zero day affects all versions of Windows which are presently supported and researchers said that exploiting the bug is very simple. The exploit code can be loaded into any Office document and when it executes, the machine does not crash and so the user may not be aware of any attack.

iSIGHT believes that the attackers may be Russian because researchers found files in Russian language on the command server employed by Sandworm. Another indication is that the lists of victims are all strategically connected to the Ukrainian conflict. While research pundits have not found any technical indications which link the criminals to the Russian government but according to the company, the fact that the operation centered on cyber-espionage and not cybercrime which means high probability of involvement of nation-state. It is also very dearly and time-consuming to hunt for security holes in the operating system which indicates that the group had most likely got nation-state support and funding.

Researchers of F-Secure previously identified Sandworm in a whitepaper released last month on a group known as Quedach. Securityweek.com published news on 14th October, 2014 quoting a written statement of F-Secure researchers as "In the summer of 2014, we observed that some samples of BlackEnergy malware started targeting organizations of Ukrainian government for collecting information."

» SPAMfighter News - 10/24/2014