A Zero Day vulnerability is seeing action in a cyberespionage campaign targeting NATO, the European Union, Ukrainian and Polish government organizations, and European companies in the telecommunications and energy sectors, researchers said.
The attack exploiting it ended up found by iSIGHT Partners, whose researchers were tracking the activities of a group of hackers whom they feel may be of Russian origin.
“On September 3rd, our research and labs teams discovered that the spear-phishing attacks relied on the exploitation of a Zero Day vulnerability impacting all supported versions of Microsoft Windows (XP is not impacted) and Windows Server 2008 and 2012,” iSIGHT said in a blog post.
The vulnerability, dubbed SandWorm (CVE-2014-4114) because of references to Frank Herbert’s Dune contained in the exploit code, is in the OLE package manager in Microsoft Windows and Server and, in this particular case, malicious Microsoft PowerPoint files would make the OLE packager download additional malicious files that allowed the attackers to execute commands on the targeted systems.
iSIGHT researchers said the SandWorm Team has been operational for at least five years, and has been targeting institutions and individuals considered to work against Russian interests.
They have, in the past, exploited at least five other older vulnerabilities, and other security firms said they have used modified versions of the BlackEnergy crimeware to steal confidential information.
iSIGHT notified Microsoft about the SandWorm vulnerability, and has been helping them with information.
The true origin of the group does remain up in the air, however.
“The number of cyber espionage operations is growing from one month to the next,” said Alex Gostev, chief security researcher of the Global Research and Analysis Team at Kaspersky Lab. “Some of these operations stand out for various reasons: Sophisticated malware, skills of the cybercriminals, or the resources that enable them to continue their espionage activities for a long period or buy expensive Zero Days. Any of the above may indicate that an espionage operation is connected with the work of government-controlled structures, but proving this connection is extremely difficult –- it is the work of investigation agencies, rather than IT security companies. Cybercriminals may leave traces indicating that they speak a certain language or belong to a certain ethnic group in order to mislead investigators. Moreover, people in many post-Soviet countries communicate in Russian, particularly in the information technology sector. Therefore, making conclusions about a ‘Russian’ trace based on this evidence is ill-advised. The files/documents that the cybercriminals are after do not provide sufficient evidence from which to draw firm conclusions either.”