Russian hackers target NATO, Ukraine through Windows zero-day exploit

iSight says the "Sandworm" team has targeted NATO, the European Union, Ukraine and industry through a previously unrecognized Windows zero-day exploit.
Written by Charlie Osborne, Contributing Writer
Screen Shot 2014-10-14 at 09.58.28

Russian hackers have exploited a bug in Microsoft's Windows operating system in order to target computers used by NATO, the European Union, Ukraine and the telecommunications and energy sectors, according to security firm iSight.

In a blog post Tuesday, Dallas-based iSight, in collaboration with Microsoft, said the zero-day vulnerability impacts all supported versions of Microsoft Windows and Windows Server 2008 and 2012. The Redmond giant is readying a patch for the CVE-2014-4114 vulnerability, used for the "Sandworm" cyberattack.

The automatic fix will be part of today's Patch Tuesday release.

The exploit has been used as part of a five-year cyberespionage campaign, according to iSight. The hackers, dubbed the "Sandworm team" -- based on coded references to the science fiction series Dune -- have been monitored by iSight  from late 2013 to the present day, although the campaign appears to have been in action since 2009. Spear phishing with malicious files attached is one of the favored methods of infiltrating computer systems, and other exploit methods include the use of BlackEnergy crimeware, as well as Microsoft's Windows zero-day flaw.

The Windows CVE-2014-4114 vulnerability has been in use since August last year, mainly through weaponized PowerPoint documents.

iSight says that the team as previously launched campaigns targeting the US and EU intelligence communities, military establishments, news organizations and defense contractors -- as well as jihadists and rebels in Chechnya. However, focus has turned towards the Ukrainian conflict with Russia, energy industries and political issues concerning Russia based on evidence gleaned from phishing emails.

The cybersecurity experts do not know what data has been lifted throughout the Sandworm campaign, however, "the use of this zero-day vulnerability virtually guarantees that all of those entities targeted fell victim to some degree."

The security team notified government agencies and private sector companies that have been targeted, and began working with Microsoft to patch the zero-day vulnerability, which allows the remote execution of arbitrary code. iSight says:

"Although the vulnerability impacts all versions of Microsoft Windows -- having the potential to impact an enormous user population -- from our tracking it appears that its existence was little known and the exploitation was reserved to the Sandworm team."

By disclosing the security flaw on the eve of Patch Tuesday, iSight believes that the possibility of other hacking teams exploiting the zero-day vulnerability has been minimized.

Read on: In the world of security

Editorial standards