Russians Suspected in Ukraine HackReport Suggests NATO, Polish Systems Also Breached
Exploiting a flaw in Microsoft Office, a group of hackers believed to be Russians breached computers operated by the Ukrainian government, according to the cyberthreat intelligence firm iSight Partners. The breach occurred during September's NATO summit in Wales, where leaders addressed Russia's seizure of Ukrainian territory.
See Also: 2016 State of Threat Intelligence Study
A report issued by iSight Partners on Oct. 14 about the cyber-attacks says the hackers also targeted other European governments, including Poland; NATO; a French telecommunications provider; a Polish energy company; and an American university. The report's publication coincides with Microsoft's release of a patch to fix the flaw, a zero-day vulnerability in Microsoft Office, which was given a National Vulnerability Database code of CVE 2014-4114. Asked about the vulnerability, a Microsoft spokesperson would only say the company was issuing the patch as part of its monthly program to address flaws in its software.
But Brian Honan, a cybercrime adviser to Europol in Dublin, calls it a "significant vulnerability" because it "impacts PowerPoint across [so many] versions of Windows."
The hackers - dubbed Sandworm Team because of encoded references in the malware to the fictitious desert-dwelling creature from the science fiction classic Dune - sent Ukrainian officials a Microsoft PowerPoint file that referenced Ukraine's Security Service's anti-terrorism operation and claimed to contain a list of people involved in pro-Russian terrorist activities, iSight Partner says. In reality, the malicious file contained a list of politicians' names. When the officials opened the attachment, it automatically installed a variant of BlackEnergy, a distributed-denial-of-service Trojan that hackers over the past few years have transformed into a sophisticated piece of malware capable of a variety of tasks, including e-snooping.
Evidence Points to Russians
iSight Partners says evidence it analyzed can't conclusively finger the ultimate sponsor of these breaches, but the company says the use of targeting and social engineering, historic use of BlackEnergy malware and several technical artifacts suggest an actor of Russian origin.
"When you're looking at these things, you're looking through a pinhole back to figure that out," says Patrick McBride, an iSight Partners vice president.
For instance, iSight Partners says, social engineering content used to deliver the malware has been specific to the conflict with Russia and is designed to appeal to personnel - mostly policymakers, defense officials and diplomats - directly involved in military and intelligence operations against Russia and pro-Russian targets.
Also, files retrieved from an open directory on a command-and-control server indicate that the operators' language is Russian. One file was a directory listing with the output in Russian, and another was a help file for the BlackEnergy Trojan that was also written in Russian.
Botnets employing BlackEnergy 1, originally used in criminal activity, were re-directed during the Russian invasion of Georgia in 2008 to target Georgian and American assets as part of a simultaneous cyber-conflict. "Though the use of botnets could not be tied to any Russian agency," the ISight Partners report says, "they were acting in a manner consistent with Russian doctrine."
Paul Rosenzweig, a former Department of Homeland Security deputy assistant secretary for policy, says Russia had used "patriotic hackers" in the Georgian invasion. "Russia has a very able set of cyber capabilities," he says.
Hacking Activity Escalates
The Sandworm Team dates back to at least 2009, but iSight Partners says it did not begin monitoring the hacking group until late 2013, when it began to increase its activity. In May, the group targeted attendees at GlobeSec, a central European security conference that attracts attendees worldwide. The following month, Sandworm targeted a Western European government agency, the Polish energy firm and a French telecommunications firm.
In June, Sandworm attacked Western European government agencies, the Polish energy firm and the French telecommunications provider. ISight Partners declined to identify the names of specific government agencies and businesses breached.
Researchers at iSight Partners discovered the zero-day vulnerabilities on Sept. 3, and the company says it immediately notified targeted parties as well as its clients. Two days later, iSight Partners says it began working with Microsoft, providing technical analysis of the vulnerability and malware used in the exploit.
Honan says the zero-day flaw is a reminder that all software - including Microsoft's - has flaws, and says this bug likely won't impact the software giant's reputation. "Microsoft is probably one of the few software companies that have demonstrated a track record in taking security in their products seriously," he says.
Zero-Day Vulnerability Details
ISight Partners says the vulnerabilities exist in the OLE package manager in Microsoft Windows and Server and affect all versions of the Windows operating system from Vista SP2 to Windows 8.1 as well as Windows Server versions 2008 and 2012. When exploited, the vulnerability allows an attacker to remotely execute arbitrary code.
The iSight Partners analysis concludes the vulnerability exists because Windows allows the OLE packager to download and execute INF files. Object Linking and Embedding, or OLE, allows embedding and linking to documents and other objects. The Object Packager allows a non-OLE object to be packaged so it can be embedded into an OLE client. An INF file is a text file that contains all the information that device installation components used to install a driver. Specifically, the packagers allow a Package OLE object to reference arbitrary external files, such as INF files, from untrusted sources. This will cause the referenced files to be downloaded in the case of INF files, to be executed with specific commands. An attacker can exploit this vulnerability to execute arbitrary code but will need a specifically crafted file and use social engineering methods to persuade a user to open it.
Delaying revelation of the breaches until Microsoft issued the patch was appropriate, says Gavin Millard, a technical director in London for the network monitoring firm Tenable Network Security. "If the descriptions of the bug are accurate, it could be a major attack vector for hackers to infiltrate corporate systems for further exploitation and exfiltration of confidential information," Millard says. "When zero-day exploits associated with common file formats are exposed, malware to take advantage of it quickly follows."
(Managing Editor Mathew Schwartz contributed to this story.)