Sandworm: Russian Cyber Espionage Campaign Uncovered After 5 Years

A new threat, dubbed Sandworm by iSight Partners, has been discovered. It is a cyber espionage campaign dating back to at least 2009, and is said to be based in Russia. Sandworm uses a previously undiscovered zero-day vulnerability in Windows operating systems to steal information from government leaders and organizations.

iSight has only uncovered a small number of affected organizations, and they are fairly significant. According to WIRED magazine, Sandworm stole information from:

  • North Atlantic Treaty Organization (NATO).
  • Ukrainian and European Union governments.
  • Energy and telecommunications firms.
  • Defense companies.
  • An unnamed United States academic singled out for his attention to Ukrainian issues.

The zero-day vulnerability exploited by Sandworm can be found in all recent Windows operating systems since Windows Vista (Windows 7, 8, 8.1). Among those affected, a common theme is seen: Targeted documents tend to be of a legal or diplomatic nature, including important documents and emails specifically concerning Ukraine, Russia, or other countries in the Eastern European region. Sandworm can steal SSL keys and code-signing certificates, which allow the malware to spread to other networks.

The name given to this vulnerability, “Sandworm,” is a reference to the science fiction series Dune by Frank Herbert. Sandworms are ancient earth deities known for being divine, immortal creatures. Their actions are thought to be acts of God. Herbert gives these creatures names such as the “Great Maker,” “The Maker,” “Worm who is God,” and so on. Known to live for several thousands of years, the Sandworm is also called “Old Man of the Desert,” and “Grandfather of the Desert.” iSight Partners decided to name the vulnerability Sandworm after finding several references to the Dune series in the attacker’s code.

The vulnerability was first discovered earlier this September, exploiting the zero-day vulnerability and spreading via phishing attacks using infected PowerPoint attachments and files. Hackers then execute malicious code within the affected systems, opening a backdoor for later access. The patch has been released, and it is important to fix this vulnerability.

How Does iSight Know It’s Russia?
According to WIRED, when trying to determine where the attacks originated, there were two details which led iSight to believe the hackers were in Russia:

Two details of Sandworm lead the iSight Partners to conclude it’s originating from Russia, possibly as a state-sponsored operation. First, files used for the command-and-control servers are written in Russian; and second, the victims targeted and the type of information used to lure them into clicking on malicious attachments focus on topics that would be of interest to Russia’s adversaries. One attachment purports to be a list of pro-Russia “terrorists” that the victim is invited to view.

What’s even more interesting is the nature of the attacks used to infect the systems. The attacks install BlackEnergy, an ominous-sounding tool used by hackers to perform denial of service attacks. In 2008, when Russia set its sights on Georgia (the country), BlackEnergy rose to fame as the primary method of cyber warfare used. This happened just the year before Sandworm is said to have begun. Coincidence? Maybe. Or, maybe not. All we can know is that using the BlackEnergy malware was a low-profile move on the hackers’ part, effectively disguising the attacks as an average botnet.

Ordinary cybercrime is cause enough for concern, but when it occurs on the government or state level, you know that it’s a big deal. You should treat every threat to your business with the same concern, especially previously undiscovered threats like Sandworm. Think Tank NTG has the power to equip your business with powerful security solutions. Our Unified Threat Management (UTM) solution consists of enterprise-level firewalls, antivirus, web content filtering, spam protection, and more. We can also monitor your network for unusual activity or traffic. For more information about our services, contact Think Tank NTG at 800-501-DATA.

Leave a Comment