A Russian hacking group probably working for the government has been exploiting a previously unknown flaw in Microsoft’s Windows operating system to spy on NATO, the Ukrainian government, a U.S. university researcher and other national security targets, according to a new report.
The group has been active since at least 2009, according to research by iSight Partners, a cybersecurity firm. Its targets in the recent campaign also included a Polish energy firm, a Western European government agency and a French telecommunications firm.
“This is consistent with espionage activity,” said iSight Senior Director Stephen Ward. “All indicators from a targeting and lures perspective would indicate espionage with Russian national interests.”
The operation used a variety of ways to attack the targets over the years, iSight said, adding that the hackers began only in August to exploit a vulnerability found in most versions of Windows.
ISight said it told Microsoft Corp about the bug and held off on disclosing the problem so the software maker had time to fix it.
A Microsoft spokesman said the company plans to roll out an automatic update to affected versions of Windows on Tuesday.
There was no immediate comment from the Russian government, NATO, the EU or the Ukraine government.
Researchers with Dallas-based iSight said they believed the hackers are Russian because of language clues in the software code and because of their choice of targets.
ISight dubbed the recently detected hacking group SandWorm because of references embedded in its code to the science-fiction novel “Dune.” There were various mentions in Russian to the fictional desert planet of Arrakis, for instance.
The firm began monitoring the hackers’ activity in late 2013 and discovered the vulnerability — known as a “zero-day” — in August, Ward said. The flaw is present in every Windows operating system from Vista to 8.1, he said, except Windows XP.
The Ukrainian government was targeted in late August, in the lead-up to the NATO summit in Wales, where member states discussed Russia’s actions in Ukraine. Using a technique called spearphishing, SandWorm sent e-mails to targets that appeared to come from legitimate sources but included attachments that, when opened, enabled the hackers to gain access to their computers, Ward said.
Some of the spearphishing e-mails appeared to concern a global security forum on Russia and a purported list of Russian sympathizers or “terrorists,” the firm said.
ISight technical analyst Drew Robinson said the firm attributed the campaign to Russia partly because of the targets and partly because the command server, located in Germany, had not been properly secured. The server was inadvertently exposing Russian-language computer files that had been uploaded by the hackers.