Russian “Sandworm” Hack Reveals 5-Year Cyber Espionage Campaign

image description

Russian “Sandworm” Hack Reveals 5-Year Cyber Espionage Campaign

b2ap3_thumbnail_watch_out_for_sandworms_400.jpgA cyber espionage campaign called “Sandworm” has been discovered recently. The hacking attack, said to be based in Russia, has been targeting government leaders and organizations since as early as 2009. The researchers responsible for the discovery, iSight Partners, came to this conclusion after examining the code used in the campaign.

As reported by WIRED magazine, iSight has only uncovered a few victims targeted by Sandworm, and they are significant ones that include:

  • North Atlantic Treaty Organization (NATO).
  • Ukrainian and European Union governments.
  • Energy and telecommunications firms.
  • Defense companies.
  • An unnamed United States academic singled out for his attention to Ukrainian issues.

Sandworm uses a zero-day vulnerability which is found in all Windows operating systems since Windows Vista (Windows 7, 8, 8.1). Sandworm itself seems to target important documents and emails consisting of an intelligence or diplomatic nature; specifically those about Ukraine, Russia, or other countries in the region. The rest of the list includes stealing SSL keys and code-signing certificates; information which could lead to the spread of Sandworm to their government networks.

The name “Sandworm” is derived from the multiple references to the science fiction series Dune in the code. In Frank Herbert’s books, Sandworms are seen as divine, immortal creatures who are the direct actions of God. These colossal creatures have been given titles such as “Great Maker,” “The Maker,” “Worm who is God,” and so forth. They are seen as earth deities and have also been given names like “Old Man of the Desert,” and “Grandfather of the Desert.” References to characters from the Dune series can be seen in the code itself. Obviously, whoever created the campaign is a huge Dune buff with a God complex.

The attacks were first discovered earlier this September, exploiting a zero-day vulnerability and spreading via infected PowerPoint attachments and files. This vulnerability messes with how a system handles PowerPoint files, and allows hackers to execute malicious code within the affected systems. A backdoor is opened, which lets hackers access the system whenever they please. The patch is now available to fix the vulnerability.

Why Russia?
According to WIRED, there are two details which led to the code probably originating in Russia:

Two details of Sandworm lead the iSight Partners to conclude it’s originating from Russia, possibly as a state-sponsored operation. First, files used for the command-and-control servers are written in Russian; and second, the victims targeted and the type of information used to lure them into clicking on malicious attachments focus on topics that would be of interest to Russia’s adversaries. One attachment purports to be a list of pro-Russia “terrorists” that the victim is invited to view.

Also of interest is the type of malware being used to infect systems. The infected emails install variants of BlackEnergy on systems, a tool used by hackers to perform denial of service attacks. In 2008, this was the primary method used by Russia in its cyber war with Georgia (the country, not the U.S. state). Coincidentally, this happened just before the espionage campaign began. Thanks to the low-profile nature of the BlackEnergy malware, the attacks could be disguised as the average botnet.

When cybercrime is done on a state-level, you know it can be a dangerous gamble to let it go undetected. You should take the same precautions with your business, especially when new threats are revealed to the public. Resolve I.T. can keep your systems secure with our remote monitoring services, and keep your network sound with a Unified Threat Management solution. With UTM, you can expect strong firewalls, antivirus software, web content filtering, and much more. For more information about what Resolve I.T. can do for your business, contact us at (978) 993-8038.