Blog

Britek Solutions Blog

Welcome to our blog, full of IT tips and business technology best practices
Font size: +

Sandworm: Russian Cyber Espionage Campaign Uncovered After 5 Years

b2ap3_thumbnail_sandworms_400.jpgA new threat, dubbed Sandworm by iSight Partners, has been discovered. It is a cyber espionage campaign dating back to at least 2009, and is said to be based in Russia. Sandworm uses a previously undiscovered zero-day vulnerability in Windows operating systems to steal information from government leaders and organizations.

iSight has only uncovered a small number of affected organizations, and they are fairly significant. According to WIRED magazine, Sandworm stole information from:

  • North Atlantic Treaty Organization (NATO).
  • Ukrainian and European Union governments.
  • Energy and telecommunications firms.
  • Defense companies.
  • An unnamed United States academic singled out for his attention to Ukrainian issues.

The zero-day vulnerability exploited by Sandworm can be found in all recent Windows operating systems since Windows Vista (Windows 7, 8, 8.1). Among those affected, a common theme is seen: Targeted documents tend to be of a legal or diplomatic nature, including important documents and emails specifically concerning Ukraine, Russia, or other countries in the Eastern European region. Sandworm can steal SSL keys and code-signing certificates, which allow the malware to spread to other networks.

The name given to this vulnerability, "Sandworm," is a reference to the science fiction series Dune by Frank Herbert. Sandworms are ancient earth deities known for being divine, immortal creatures. Their actions are thought to be acts of God. Herbert gives these creatures names such as the "Great Maker," "The Maker," "Worm who is God," and so on. Known to live for several thousands of years, the Sandworm is also called "Old Man of the Desert," and "Grandfather of the Desert." iSight Partners decided to name the vulnerability Sandworm after finding several references to the Dune series in the attacker's code.

The vulnerability was first discovered earlier this September, exploiting the zero-day vulnerability and spreading via phishing attacks using infected PowerPoint attachments and files. Hackers then execute malicious code within the affected systems, opening a backdoor for later access. The patch has been released, and it is important to fix this vulnerability.

How Does iSight Know It's Russia?
According to WIRED, when trying to determine where the attacks originated, there were two details which led iSight to believe the hackers were in Russia:

Two details of Sandworm lead the iSight Partners to conclude it's originating from Russia, possibly as a state-sponsored operation. First, files used for the command-and-control servers are written in Russian; and second, the victims targeted and the type of information used to lure them into clicking on malicious attachments focus on topics that would be of interest to Russia's adversaries. One attachment purports to be a list of pro-Russia "terrorists" that the victim is invited to view.

What's even more interesting is the nature of the attacks used to infect the systems. The attacks install BlackEnergy, an ominous-sounding tool used by hackers to perform denial of service attacks. In 2008, when Russia set its sights on Georgia (the country), BlackEnergy rose to fame as the primary method of cyber warfare used. This happened just the year before Sandworm is said to have begun. Coincidence? Maybe. Or, maybe not. All we can know is that using the BlackEnergy malware was a low-profile move on the hackers' part, effectively disguising the attacks as an average botnet.

Ordinary cybercrime is cause enough for concern, but when it occurs on the government or state level, you know that it's a big deal. You should treat every threat to your business with the same concern, especially previously undiscovered threats like Sandworm. Britek Solutions has the power to equip your business with powerful security solutions. Our Unified Threat Management (UTM) solution consists of enterprise-level firewalls, antivirus, web content filtering, spam protection, and more. We can also monitor your network for unusual activity or traffic. For more information about our services, contact Britek Solutions at (954) 560-8145.

×
Stay Informed

When you subscribe to the blog, we will send you an e-mail when there are new updates on the site so you wouldn't miss them.

Caution: Enhanced Cryptowall Ransomware Threatens ...
Tip of the Week: 13 Shortcuts for Microsoft Outloo...
 

Comments

No comments made yet. Be the first to submit a comment
Guest
Already Registered? Login Here
Guest
Friday, 27 December 2024

Captcha Image

Customer Login

News & Updates

Britek Solutions is proud to announce the launch of our new website at www.briteksolutions.com. The goal of the new website is to make it easier for our existing clients to submit and manage support requests, and provide more information about our services for ...

Contact us

Learn more about what Britek Solutions can do for your business.

Britek Solutions
304 Indian Trace Suite #312
Weston, Florida 33326

Copyright Britek Solutions. All Rights Reserved.