Russian hackers suspected of Kremlin ties used Windows bug ‘to spy on west’

Cyber-threat intelligence firm iSight says ‘Sandworm Team’ used unknown bugs from 2009 to steal EU and Nato documents

Russian hackers suspected of ties to the Kremlin have spied on the Ukrainian government, European Union, Nato and others through a previously unknown bug in Microsoft Windows, researchers say.

The cyber-threat intelligence firm iSight Partners said on Tuesday it had found a “zero-day vulnerability” – an unaddressed security breach – affecting almost all versions of the Windows operating system since the 2007 Vista. ISight notified Microsoft of the vulnerability before publishing its findings, and the software multinational said it would release an automatic update to fix it.

A group of hackers iSight called the Sandworm Team reportedly exploited this and other vulnerabilities from 2009 to steal diplomatic and intelligence documents, as well as data that could be used to penetrate further systems. The team targeted dozens of computers used by Nato, the Ukrainian and EU governments, French telecom firms, Polish energy firms and a US academic body, iSight said.

The hackers also targeted some of those attending GlobSec, a national security gathering in May attended by Nato’s secretary general, Anders Fogh Rasmussen, and the prime ministers of Slovakia, the Czech Republic, Poland and Hungary. Many other entities could also have been targeted, iSight said.

Although the cyber-intelligence firm could not say exactly what information the hackers had obtained in their operations, the report noted that the exploitation of a previously undiscovered vulnerability “virtually guarantees that all of those entities targeted fell victim to some degree”.

Notably, the targets included many of the strongest critics of Russia’s annexation of Ukraine’s Crimea peninsula and its support for rebels in eastern Ukraine this year. President Vladimir Putin and other officials have called Nato’s eastward expansion a threat to Russia’s national security, and the Kremlin has engaged in tit-for-tat sanctions with the European Union and United States in recent months.

Although iSight said it did not have any direct evidence of the hackers’ affiliation, several clues pointed to the Russian government.

Files used in the attacks were written in Russian, and researchers said the hackers were most likely government-backed because they engaged in cyber-espionage rather than cyber-crime. In addition, they targeted victims with email attachments purporting to be about topics of interest to Russia’s international adversaries, such as a fake list of pro-Russian “terrorists”.

The zero-day vulnerability arose because Windows allows a technology known as object linking and embedding to download certain types of files from unverified sources, which can be used by hackers to remotely run codes for obtaining information. In particular, the Sandworm Team reportedly infected targets with malicious email attachments, largely PowerPoint files.

One factor that helped researchers link the attacks were encoded references to Frank Herbert’s classic science-fiction series Dune found in URLs for the hackers command-and-control servers. The Dune references were so prevalent that iSight dubbed the hackers the “Sandworm Team” in reference to the huge creatures worshipped as gods on a desert planet where the series is set.

ISight said the Sandworm Team’s campaign was part of a “growing drumbeat of cyber-espionage activity out of Russia”.

But Andrei Soldatov, a journalist and expert on Russia’s security services, said the available information was too sparse to definitively attribute the Sandworm campaign to the Russian government or conclude that Russian cyber-espionage was on the rise. He noted that few cyber-attacks had been seen in Ukraine this year, unlike in Estonia in 2007 or Georgia in 2008, when conflicts with Russia resulted in a rash of distributed denial-of-service (DDoS) attacks that shut local servers.

“I don’t rule out the possibility of cyber-espionage operations to obtain information and data, but at the same time, in terms of causing damage, [the Russian government’s] focus has shifted from cyber attacks to the use of social networks for propaganda, mobilisation and recruiting,” Soldatov said.

In the past Moscow has denied conducting cyber-attacks. But this is not the first wide-reaching cyber-espionage operation it has been suspected of in recent months. In August researchers at the Russian software security firm Kaspersky Lab discovered a hacker operation they called Epic Turla that had penetrated an intelligence agency located in the European Union as well as hundreds of other government and military targets in Europe and the Middle East this year.

Although Kaspersky Lab stopped short of blaming Moscow, it said the hackers were probably sponsored by a government and employed techniques and tools similar to other cyber-espionage operations that western intelligence services have linked to the Russian government.


Alec Luhn in Moscow

The GuardianTramp

Related Content

Article image
Russia-aligned hackers running anti-Nato fake news campaign – report
‘Ghostwriter’ campaign said to involve replacing true stories with false ones on news sites in Poland and Lithuania

Dan Sabbagh Defence and security editor

30, Jul, 2020 @3:32 PM

Article image
UK accuses Kremlin of ordering series of 'reckless' cyber-attacks
Foreign Office increases pressure on Russia after Skripal poisoning

Patrick Wintour Diplomatic editor

03, Oct, 2018 @11:01 PM

Article image
Nato must defend western democracy against Russian hacking, say Fallon
UK defence secretary accuses Moscow of ‘weaponising misinformation’ to disable democratic machinery

Ewen MacAskill Defence correspondent

03, Feb, 2017 @8:12 AM

Article image
Russian minister complains to US about role of ‘digital giants’ in election
Sergei Ryabkov’s claim of interference in Duma vote believed to be reference to anti-Putin apps on Apple and Google

Staff and agencies in Moscow

10, Sep, 2021 @9:05 PM

Article image
Russian SolarWinds hackers launch email attack on government agencies
Microsoft says group targeted more than 15o American and foreign organisations using USAid account

Alexandra Villarreal and agencies

28, May, 2021 @5:28 PM

Article image
German spy chief says Russian hackers could disrupt elections
Cyber-attacks aim to delegitimise democratic process and elicit political uncertainty, says Bruno Kahl

Kate Connolly in Berlin

29, Nov, 2016 @3:34 PM

Article image
Cyberwar is not coming to the US – it’s already here
As recent high-profile hacks show, cyberwar is a very real danger and is likely to get much worse, says a US security expert

Dan Tynan in Las Vegas

04, Aug, 2016 @8:59 AM

Article image
Nato kicks out Russian spies but revives Kremlin hotline amid Ukraine tensions
Western military alliance expels dozens of suspected Russian spies from Nato headquarters while upgrading emergency military contacts with Moscow

Ian Traynor Brussels

10, May, 2015 @6:00 PM

Article image
EU to run war games to prepare for Russian and Chinese cyber-attacks
Ministers to be put in fictional scenarios after series of hacking incidents

Daniel Boffey in Helsinki

27, Jun, 2019 @12:48 PM

Article image
String of own goals by Russian spies exposes a strange sloppiness
The secretive, daring GRU seems to have lost its way in the age of internet search

Andrew Roth in Moscow

05, Oct, 2018 @4:00 AM