Attackers exploited a zero-day vulnerability in Windows to spy on NATO, the European Union, Poland, Ukraine, private energy organizations, and European telecommunications companies, according to cyber-intelligence firm iSight Partners.
Microsoft is expected to patch the flaw today as part of October’s Patch Tuesday release.
The espionage campaign began five years ago and is still in progress, iSight said in its advisory. It has evolved several times over the years to adopt new attack methods, and only began targeting the Windows zero-day with malicious PowerPoint files in August, according to the company. iSight analysts have named the operation “Sandworm Team” because the attackers included several references to Frank Herbert’s Dune in the code.
“It is critical to note that visibility is limited and that there is a potential for broader targeting from this group (and potentially other threat actors) using this zero-day,” iSight warned.
Sandworm targeted victims with malicious PowerPoint documents which, when opened, triggered the zero-day bug in all supported versions of Windows, including Windows Vista, 7, or 8, Windows Server 2008 and 2012, iSight said. The exploit installed another executable file onto the infected machine to open a backdoor, thus giving remote access to attackers.
The zero-day itself may not be as scary as it sounds, according to one security expert. “People shouldn’t panic about Sandworm,” Ross Barrett, senior manager of security engineering at Rapid7, said over email. Even though the vulnerability is present in all supported operating systems, it is a local file format exploit, which are fairly common and routinely patched by Microsoft. While the bug can give attackers complete control of the compromised system, attackers need to launch a multi-stage attack in order to exploit this flaw. “The steps required to get there limit the impact of this vulnerability,” he said.
While Microsoft has patched the flaw, iSight also provided some workarounds, such as disabling the WebClient Service to prevent Web Disributed Authoring and Versioning (WebDAV) requests from being transmitted, blocking TCP ports 139 and 445, and preventing executables from being launched by setup .inf files.
It’s not known at this point what kind of information the attackers were after. Considering the list of victims, it’s likely the attackers were looking for information regarding the Ukraine crisis, diplomatic communications, and sensitive documents related to the energy and telecomm industries. Sandworm also attempts to steal SSL keys and code-signing certificates, which may be used in future attacks.
iSight believes the attackers are Russian because analysts found Russian-language files on the command server used by Sandworm. The list of victims was another clue, since they are all strategically related to the Ukrainian conflict. While researchers haven’t found technical indicators linking the attackers to the Russian government, the fact that the campaign focused on cyber-espionage and not cybercrime meant nation-state involvement was highly likely, according to the company. It’s also expensive and time-consuming to look for security flaws in the operating system, making it quite possible the group had nation-state funding and support.
For example, the group targeted NATO computers with emails with a malicious document claiming to have information on European diplomacy back in December. An American academic with a focus on Ukraine and several Ukrainian regional government officials received spear-phishing messages just before a NATO summit over the summer. The malicious messages claimed to have information gathered by Ukrainian security services on Russian sympathizers, such as a list of pro-Russian extremists, iSight said.
It’s interesting that iSight found the zero-day flaw “being used in Russian cyber espionage attacks in the wild, targeting NATO, the European Union, and the telecommunications and energy sectors, but that’s probably the most interesting aspect of it,” Barrett said.
Previous Sandworm attacks exploited older vulnerabilities to install the BlackEnergy exploit kit. BlackEnergy was used to create botnets with launched distributed denial-of-serve attacks against computers in Georgia during the country’s conflict with Russia back in 2008. Originally a DDoS tool, BlackEnergy evolved to steal banking credentials and other information.
Sandworm was previously identified by F-Secure researchers in a whitepaper on a group they called Quedach released last month. “In the summer of 2014, we noted that certain samples of BlackEnergy malware began targeting Ukranian government organizations for information harvesting,” F-Secure researchers wrote at the time.
iSight is sharing the detailed report with its customers but warned that malware and indicator data could be potentially misused to create “copycat exploits.”
*Updated  with additional information, commentary and reactions.