Suspected Russian hackers use Microsoft zero-day exploit to target NATO, Ukraine and others

iSight Partners reveals exploit that could have been actively exploited for five years

A bug in Microsoft Windows has been exploited by Russian hackers to spy on organisations including, NATO, the European Union, Ukraine and energy firms, security experts have revealed.

The cyber-espionage attacks - which experts suggest are likely to be backed by the Russian government - uses a previously unknown zero-day exploit in Windows to sneak into a range of secure networks. The group behind the attacks have been dubbed 'Sandworm' (after the monster of the same name in the Dune sci-fi novels) by iSight Partners, the security firm that discovered the bug. iSight believes the flaw may have been exploited over the past five years

"As part of our normal cyber threat intelligence operations, iSight Partners is tracking a growing drum beat of cyber espionage activity out of Russia," the firm said in a blog post detailing the discovery.

iSight also suggests that the Sandworm group is still active, adding: "We are actively monitoring multiple intrusion teams with differing missions, targets and attack capabilities. We are tracking active campaigns by at least five distinct intrusions teams."

The malicious attacks have targeted a number of high profile victims, with iSight detailing targets including NATO, Western European governments, a French telecommunications firm and a Polish energy company, amongst others.

Attacks were usually initiated by spear-phishing, and went on to make use of a zero-day exploit in Microsoft Windows.

"Our research and labs teams discovered that the spear-phishing attacks relied on the exploitation of a zero-day vulnerability impacting all supported versions of Microsoft Windows (XP is not impacted) and Windows Server 2008 and 2012. A weaponised PowerPoint document was observed in these attacks," said iSight's Stephen Ward, who added that while it's not possible to gauge exactly what information was stolen, data will certainly have been taken.

"Though we have not observed details on what data was exfiltrated in this campaign, the use of this zero-day vulnerability virtually guarantees that all of those entities targeted fell victim to some degree."

The security firm told Microsoft about the vulnerability some time ago, opting not to disclose the information until Microsoft had had an opportunity to attempt to close the exploited loophole.

"iSight Partners worked closely with Microsoft to track and monitor the exploitation of this vulnerability in the wild, share technical information to assist in the analysis of the vulnerability and the development of a patch, and coordinate disclosure to the broader security community," said iSight.

The firm recommends that organisations patch their systems as soon as possible in order to protect against Russian attacks.

"The application of this patch should be done as soon as humanly possible given the potential for further exploitation by this cyber espionage team and others in the threat actor community," said the firm.

"Microsoft is detailing a list of workarounds to the vulnerability as part of its bulletin - these workarounds should help mitigate the risk of exploitation while the patching process unfolds for your firm," the statement concluded.