The Russian cyber espionage and cybercrime worlds once again have collided in a newly discovered cyberspying campaign that uses a zero-day flaw found in all supported versions of Microsoft Windows.
Researchers at iSIGHT Partners, who have been tracking the so-called Sandworm cyber espionage team out of Russia and four other such teams there for some time, discovered the group using a previously unknown security weakness in Windows. Today, as part of its monthly patch cycle, Microsoft will issue a patch for the CVE-2014-4114 bug, which is found in Windows Vista; Windows versions 7, 8, and 8.1; and Windows Server 2008 and 2012.
The Sandworm gang is using the zero-day for the initial attack, which then drops a variant of the notorious BlackEnergy Trojan traditionally used by the pervasive Russian cybercrime underground. This intersection between nation-state spying and the criminal underground in Russia has been on the rise this past year, security experts say, with the attacks escalating in the wake of the Ukrainian conflict and sanctions by the US and others against Russia for its actions in Ukraine.
Among the targets of Sandworm are NATO, the Ukrainian government, a US think tank specializing in Russian issues, Polish government and energy entities, a French telecommunications firm, and a Western European government agency.
The group has been active since 2013, but the zero-day attack wasn't spotted by researchers monitoring the group until late August, when its attacks became more directed at Ukrainian and related targets, including the US think tank.
Sandworm is using the cyber espionage-style zero-day exploit embedded in a Microsoft Office file -- in this case, a PowerPoint presentation attachment -- in a spear-phishing attack campaign. The vulnerability, which is basically a weakness in Windows' OLE packaging function, rather than a traditional type of bug, allowed the attackers to run the infected PowerPoint file in animation mode, which triggers the flaw and ultimately infects the victim's machine as he or she views the PowerPoint. The user doesn't get the typical Office prompt asking whether to run animation in the file; it automatically runs.
"Normally, user interaction requires [these objects in Windows] to trigger," says Drew Robinson, a senior malware analyst with iSIGHT Partners. But all it takes is for the user to open the PowerPoint file, and the malware installs on the machine.
The cybercrime link used in these targeted attacks is the notorious BlackEnergy Trojan, which over the years has been used for everything from DDoS attacks to online bank fraud and, most recently, targeted attacks in cyber espionage campaigns. ESET researchers said late last month they had spotted BlackEnergy being used in attacks via malicious PowerPoint files, targeting organizations in Ukraine and Poland. F-Secure also has kept close tabs on the Russian cyberspying gang.
"As cybercrime becomes more commoditized, this excess intrusion capacity is finding its way into cyber espionage kinds of actions and capabilities," says Stephen Ward, senior director of marketing at iSIGHT. "This blurring of lines [also] gives them the ability to mask their attacks around cybercrime" and thus blend in with everyday malware attacks.
The intersection between cybercrime and cyber espionage has been evolving. Greg Hoglund, CEO of the new startup Outlier Security and the former CEO and founder of HBGary, says he has seen several cases of overlap between cyber espionage and cybercrime. "I had one case two years ago where there was a Zeus bot infection, and they [the victim organization] dismissed it as common malware," Hoglund says. "We examined the bot, and it had XLS, DOC, and all types of extensions specially [built] in plugins to grab those intellectual property documents. It was stealing [their] IP."
Microsoft would not elaborate on the new Windows zero-day found in the Sandworm attacks, except to confirm that the vulnerability will be among the patches issued today. "On October 14, as part of our Update Tuesday monthly process, we will release security bulletin MS14-060 to help protect customers," a Microsoft spokesperson said.
iSIGHT's Robinson says the flaw is "extremely easy to recreate," so it wouldn't be difficult for other attackers to exploit it, as well.
[New research from Symantec spots US and Western European energy interests in the bull's eye, but the campaign could encompass more than just utilities. Read Cyberspying Campaign Comes With Sabotage Option.]
Meanwhile, the Sandworm gang has been spotted attempting to steal all types of documents, SSL certificates, code-signing certificates, and user credentials. "We know they were successful with the Ukraine government. The server hosts they used had an intimate knowledge of their [the agency's] internal network already, and they were trying to regain access," Robinson says.
Interestingly, the Russian hackers' affinity to the Dune science fiction series ultimately exposed them. They included Dune references in the BlackEnergy malware, which allowed the researchers to cross-correlate their command and control and view more of their operations.
Robinson says he and his team also were able to access a public-facing file directory the attackers left wide open, which in turn provided more clues that they were Russian speakers. "They put a lot of references to Dune in their URLs."
Sandworm is not the same Russian cyber espionage gang that's behind the Havex malware. That group, known as Energetic Bear/Dragonfly/Koala, unleashed attacks this year against US and other Western energy and oil operators by planting Trojan-rigged software updates on the websites of the targeted organizations' industrial control system (ICS) software vendors. Energetic Bear also is associated with attacks on pharmaceutical, construction, education, and IT firms, mainly in the US, Spain, Japan, Germany, France, Italy, Turkey, Ireland, Poland, and China.
Unlike Chinese cyber espionage groups, which often are organized by region or industry targets, Russian cyberspy gangs characteristically have a large amount of overlap in their operations.
iSIGHT Partners has posted an FAQ on the attack campaign and the Windows bug here.