Russian ‘Sandworm’ Hack Has Been Spying on Foreign Governments for Years

Russian ‘Sandworm’ Hack Has Been Spying on Foreign Governments for Years
Oct 14 2014

A cyberespionage campaign believed to be based in Russia has been targeting government leaders and institutions for nearly five years, according to researchers with iSight Partners who have examined code used in the attacks.

The campaign, dubbed “Sandworm” is believed to have been running since 2009, and used a wide-reaching zero-day exploit uncovered by the researchers that affects nearly every version of the Windows operating system released since Windows Vista.

Although iSight only has a small view of the number of victims targeted in the campaign, the victims include among others, the North Atlantic Treaty Organization, Ukrainian and European Union governments, energy and telecommunications firms, defense companies, as well as at least one academic in the US who was singled out for his focus on Ukrainian issues. The attackers also targeted attendees of this year’s GlobSec conference, a high-level national security gathering that attracts foreign ministers and other top leaders from Europe and elsewhere each year.

It appears Sandworm is focused on nabbing documents and emails containing intelligence and diplomatic information about Ukraine, Russia and other topics of importance in the region. But it also attempts to steal SSL keys and code-signing certificates, which iSight says the attackers probably use to further their campaign and breach other systems.

The researchers dubbed the operation “Sandworm” because the attackers make multiple references to the science fiction series Dune in their code. Sandworms, in the Frank Herbert books, are desert creatures on the planet Arrakis who are worshipped as god-like entities.

iSight is not the first to spot the attackers in the wild. Other security firms, including F-Secure in Finland, have uncovered victims over the years. But iSight was able to tie various attacks together to expose commonalities in the five-year campaign. It was encoded references to Dune—which appear in URLs for the attackers’ command-and-control servers—that helped tie some of the attacks together. The URLs include base64 strings that when decoded translate to “arrakis02,” “houseatreides94,” and “epsiloneridani0,” among others.

“Some of the references were very obscure so whoever was writing the malware was a big Dune geek,” says John Hultquist, senior manager for iSight’s Cyber Espionage Threat Intelligence team.

The zero-day vulnerability used in some of the attacks was spotted in early September. The attackers use it to infect victims with malicious attachments, primarily PowerPoint files. iSight Partners has been working with Microsoft to fix the problem, a patch for which is being released today along with a report from the security firm about its findings.

The zero-day affects the way Windows handles PowerPoint files and allows the attackers to execute remote code on targeted systems. When a victim clicks on a malicious PowerPoint file, the exploit in the file installs a malicious executable that opens a backdoor onto the system.

“They’ve had a high degree of success in terms of infiltration based on the use of the zero day,” says Hultquist.