Russian espionage group used Windows 0-day to target NATO, EU

In today’s Patch Tuesday, Microsoft will be releasing a wide variety of patches, and among them will be one for a zero-day vulnerability that has been used in a cyber-espionage campaign targeting NATO, the European Union, Ukrainian and Polish government organizations, and European companies in the telecommunications and energy sectors.

The attack exploiting it has been discovered by iSIGHT Partners, whose researchers were tracking the activities of a group of hackers whom they suspect to be of Russian origin and potentially working for (or selling information to) the Russian government.

“On September 3rd, our research and labs teams discovered that the spear-phishing attacks relied on the exploitation of a zero-day vulnerability impacting all supported versions of Microsoft Windows (XP is not impacted) and Windows Server 2008 and 2012,” iSIGHT shared.

The vulnerability, dubbed SandWorm (CVE-2014-4114) because of many references to Frank Herbert’s Dune contained in the exploit code, is found in the OLE package manager in Microsoft Windows and Server and, in this particular case, malicious Microsoft PowerPoint files would make the OLE packager download additional malicious files that allowed the attackers to execute commands on the targeted systems.

iSIGHT researchers say that the SandWorm Team has been operational for at least five years, and has been targeting institutions and individuals considered to work against Russian interests.

They have, in the past, exploited at least five other older vulnerabilities, and other security firms have noted that they have used modified versions of the BlackEnergy crimeware to steal confidential information.

iSIGHT has notified Microsoft about the SandWorm vulnerability, and has been helping them with information.

“The power of the exploit is pretty substantial,” John Hultquist, senior manager of cyber-espionage threat intelligence for iSIGHT, commented for Ars Technica. “From talking to some people over here, they have had a hard time writing signatures for it, and the attack does not crash anything. It’s subtle.”