Russian hackers used Windows bug to target Nato

[AIpha]

Russian hackers used Windows bug to target Nato

October 14 2014
Technology

The bug targeted Nato and western governments among others

Russian hackers exploited a bug in Microsoft's Windows to spy on computers used by Nato and western governments, a report indicates.

The same bug was used to access computers in Ukraine and Poland, said cyber-intelligence firm iSight Partners.

It did not know what data the hackers had accessed but speculated that it was looking for information about the crisis in Ukraine.

Microsoft said it would fix the bug.

A spokesman said that the company would roll out an automatic update to affected versions of Windows.

State-sponsored?

The hacking campaign has been dubbed Sandworm because the researchers found reference to the science fiction series Dune in the software code.

Other victims include energy, telecommunications and defence firms, delegates of the GlobSec conference about national security and an academic who was an expert in Russian-Ukraine relations.

The hacking campaign had been going on for five years, although the use of the so-called zero-day vulnerability in Windows (meaning a bug that Microsoft was not previously aware of) began only in August this year and allowed the hackers to ramp up their campaign and target more sources.

Although iSight could not say whether the hackers had ties with the Russian government, one senior analyst said he thought the campaign was supported by a nation state because the hackers were engaged in information-gathering rather than making money.

In a 16-page report, iSight explained how, in December 2013, Nato was targeted with a document purporting to be about European diplomacy but with malicious software embedded in it.

At the same time, several regional governments in the Ukraine and an academic working on Russian issues in the US were sent malicious emails, claiming to contain a list of pro-Russian extremist activities.

Polish connection

Other research firms, including F-Secure have previously reported on the Sandworm bug - albeit under another name, Quedagh.

Senior researcher Mikko Hypponen said that the malware had gone undetected for years because it had been repackaged from an even older bug.

"The malware has been around for years - it used to be a denial-of-service bot called Black Energy which these hackers have repurposed for their needs."

"The interesting thing is that when it is detected by IT staff it will show up as Black Energy, which they will see as a very old run-of-the-mill bug that didn't do much."

The iSight research team said that it was tracking a "growing drum beat" of cyber-espionage activities emanating from Russia.

The ex-Soviet states had always been the number one source of malware, agreed Mr Hypponen and, since the Ukraine crisis, he too has also seen a rise in the number of espionage-based attacks.

"Although we have also seen as many attacks from the Quedagh bug in Poland as in Ukraine and we can't really explain that," he said.

 

[AIpha]

iSight Partners finds Russian cyber-attack linked to Ukraine crisis

Hackers use Microsoft Windows flaw in attacks linked to Ukraine crisis

PUBLISHED : Wednesday, 15 October, 2014, 5:12am
UPDATED : Wednesday, 15 October, 2014, 5:12am

The Washington Post

iSight Partners finds Russian cyber-attack linked to Ukraine crisis

A Russian hacking group has been exploiting a previously unknown flaw in Microsoft's Windows operating system to spy on Nato, the Ukrainian government, a US university researcher and other security targets, according to a report.

The group had been active since at least 2009, according to research by iSight Partners, a cybersecurity firm. Its targets in the recent campaign also included a Polish energy firm, a Western European government agency and a French telecoms firm.

"All indicators from a targeting and lures perspective would indicate espionage with Russian national interests," said iSight senior director Stephen Ward.

The Russian government has denied similar allegations of cyber espionage in the past. Current and former US intelligence officials, nonetheless, say the capabilities of Russian hackers are on par with those of the United States and Israel.

"It's possible they've become more active in response to the Ukrainian situation," said a former intelligence official. "And when you become more active, you increase your likelihood of getting caught."

ISight dubbed the hacking group SandWorm because of references embedded in its code to the fictional planet Arrakis in the science fiction novel Dune.

The firm began monitoring the hackers' activity late last year and discovered the vulnerability — known as a "zero-day" — in August, Ward said.

The flaw was present in every Windows operating system from Vista to 8.1, he said, except for Windows XP, which was not affected.

The Ukrainian government was targeted in September, a period coinciding with the Nato summit in Wales, where member states discussed Russia's actions in Ukraine.

Using a technique called "spearphishing", SandWorm sent emails to targets that appeared to come from legitimate sources but included attachments that, when opened, enabled the hackers to gain access to their computers, Ward said.

Some of the emails appeared to concern a global security forum on Russia and a purported list of Russian sympathisers or "terrorists", the firm said.

ISight was not able to determine how successful the hackers might have been in obtaining information. But Robinson said that by analysing the malware files, it was able to determine that certain targets, including Ukrainian government server, had been compromised.

Microsoft plans to release a patch for the vulnerability as part of the security industry's monthly "Patch Tuesday", a coordinated release of fixes to vulnerabilities in software.

SandWorm adapted malware previously used by cybercriminals, probably "to mask" its espionage intents, Ward said.