Eve Hunter, RKK/ICDS 16 October 2014
In the latest episode of cyber espionage, a Russian hacking group has infiltrated some networks of NATO, the EU, and the Ukrainian government. The group, which researchers have named ‘Sandworm’, due to its frequent references to Frank Herbert’s Dune, obtained its illicit access through spear-phishing techniques (targeted emails that when opened infect the host computer) as well as through zero-day exploits. A zero-day attack is one that exploits a previously undiscovered vulnerability—in this case, one found in all modern Microsoft operating systems.

The cybersecurity firm that caught the intrusions, iSIGHT, has just released a report on the activities and history of Sandworm. The supposedly government-affiliated organization is documented as beginning its operations as early as 2009, but the more serious attacks on NATO networks began in December 2013. From NATO, the operatives then targeted attendees of the policy conference GlobSec, held in May of this year in Bratislava. After the conference, Sandworm shifted its attention towards a Polish energy firm and a French telecommunication organization.

Of course, once Russia began its land invasion of Ukraine, hackers, believed to be operating under instructions from Moscow, also went to work. In fact, information operations from Russia to Ukraine began well before the land operations. Sandworm infiltrated Ukrainian government networks, as well as NATO’s prior to the Wales summit. These attacks were particularly devastating as this is when Sandworm finally took advantage of the Windows zero-day vulnerability (which had existed for years).

What is particularly noteworthy about these attacks is one the one hand, their high level of sophistication – with highly detailed and informed spear-phishing attacks. Unlike other more commonplace spear-phishing, the attachments containing the malware were not suspicious in the least. Each pursuit of information was extremely well-tailored. But on the other hand, a few Russian-language files were left in an open source directory – evidence of sloppy security practices. Sandworm also incorporated cybercrime malware technology BlackEnergy in their attacks. The BlackEnergy botnet, used for Distributed Denial of Service (DDoS) attacks was used in 2007 and 2008; the source code was available for comparison and helped attribution teams link the attacks to Russia.

iSIGHT worked with Microsoft to notify the affected parties immediately upon discovering the exploit in early September. This past Tuesday, Microsoft released a patch to prevent any more computers from being penetrated.

The discovery of these attacks coincide with the discovery of a different Russian group infiltrating the American bank JPMorgan Chase networks through an outside company affiliated with the bank, Corporate Challenge. Corporate Challenge organizes races for charity in different cities across the world. Whether these are vigilante groups acting alone, or if this is some sort of coordinated Russian espionage and attack scheme, is as of yet unclear.

In the end, a computer network’s security is only as reliable as the individuals using it. This incident emphasizes the need for organizations like NATO to make an ongoing effort to ensure that staff at all levels practice better cyber hygiene.

Märkmed: