31478 Industrial Road Suite 200, Livonia, Michigan 48150 sales@xfer.com

XFER Blog

XFER Blog

XFER has been serving the Livonia area since 1994, providing IT Support such as technical helpdesk support, computer support, and consulting to small and medium-sized businesses.

Russian “Sandworm” Hack Reveals 5-Year Cyber Espionage Campaign

b2ap3_thumbnail_watch_out_for_sandworms_400.jpgA cyber espionage campaign called "Sandworm" has been discovered recently. The hacking attack, said to be based in Russia, has been targeting government leaders and organizations since as early as 2009. The researchers responsible for the discovery, iSight Partners, came to this conclusion after examining the code used in the campaign.

As reported by WIRED magazine, iSight has only uncovered a few victims targeted by Sandworm, and they are significant ones that include:

  • North Atlantic Treaty Organization (NATO).
  • Ukrainian and European Union governments.
  • Energy and telecommunications firms.
  • Defense companies.
  • An unnamed United States academic singled out for his attention to Ukrainian issues.

Sandworm uses a zero-day vulnerability which is found in all Windows operating systems since Windows Vista (Windows 7, 8, 8.1). Sandworm itself seems to target important documents and emails consisting of an intelligence or diplomatic nature; specifically those about Ukraine, Russia, or other countries in the region. The rest of the list includes stealing SSL keys and code-signing certificates; information which could lead to the spread of Sandworm to their government networks.

The name "Sandworm" is derived from the multiple references to the science fiction series Dune in the code. In Frank Herbert's books, Sandworms are seen as divine, immortal creatures who are the direct actions of God. These colossal creatures have been given titles such as "Great Maker," "The Maker," "Worm who is God," and so forth. They are seen as earth deities and have also been given names like "Old Man of the Desert," and "Grandfather of the Desert." References to characters from the Dune series can be seen in the code itself. Obviously, whoever created the campaign is a huge Dune buff with a God complex.

The attacks were first discovered earlier this September, exploiting a zero-day vulnerability and spreading via infected PowerPoint attachments and files. This vulnerability messes with how a system handles PowerPoint files, and allows hackers to execute malicious code within the affected systems. A backdoor is opened, which lets hackers access the system whenever they please. The patch is now available to fix the vulnerability.

Why Russia?
According to WIRED, there are two details which led to the code probably originating in Russia:

Two details of Sandworm lead the iSight Partners to conclude it's originating from Russia, possibly as a state-sponsored operation. First, files used for the command-and-control servers are written in Russian; and second, the victims targeted and the type of information used to lure them into clicking on malicious attachments focus on topics that would be of interest to Russia's adversaries. One attachment purports to be a list of pro-Russia "terrorists" that the victim is invited to view.

Also of interest is the type of malware being used to infect systems. The infected emails install variants of BlackEnergy on systems, a tool used by hackers to perform denial of service attacks. In 2008, this was the primary method used by Russia in its cyber war with Georgia (the country, not the U.S. state). Coincidentally, this happened just before the espionage campaign began. Thanks to the low-profile nature of the BlackEnergy malware, the attacks could be disguised as the average botnet.

When cybercrime is done on a state-level, you know it can be a dangerous gamble to let it go undetected. You should take the same precautions with your business, especially when new threats are revealed to the public. XFER can keep your systems secure with our remote monitoring services, and keep your network sound with a Unified Threat Management solution. With UTM, you can expect strong firewalls, antivirus software, web content filtering, and much more. For more information about what XFER can do for your business, contact us at 734-927-6666 / 800-GET-XFER.

Grading the New iPhone 6 and 6+ On a Curve
Tip of the Week: How to Decide on a VoIP Plan to F...
 

Comments

No comments made yet. Be the first to submit a comment
Guest
Already Registered? Login Here
Sunday, 22 December 2024

Captcha Image

Customer Login


Cybersecurity Risk Assessment

cybersecurity-audit

Our risk assessment will reveal hidden problems, security vulnerabilities, and other issues lurking on your network.

Request Yours Today!

Contact Us

Learn more about what XFER can do for your business.

XFER Communications, Inc.
31478 Industrial Road Suite 200
Livonia, Michigan 48150