October 15, 2014

On Tuesday, October 14, 2014, iSIGHT Partners – in close collaboration with Microsoft – announced the discovery of a zero-day vulnerability impacting all supported versions of Microsoft Windows and Windows Server 2008 and 2012.

Visibility into this campaign indicates targeting across the following domains. It is critical to note that visibility is limited and that there is a potential for broader targeting from this group (and potentially other threat actors) using this zero-day.

• NATO
• Ukrainian government organizations
• Western European government organization
• Energy Sector firms (specifically in Poland)
• European telecommunications firms
• United States academic organization

This particular cyber-espionage campaign is attributed to an intrusion team that iSIGHT has dubbed ‘Sandworm Team’ based on its use of encoded references to the classic science fiction series Dune in command and control URLs and various malware samples.

iSIGHT Partners has been monitoring the Sandworm Team’s activities from late 2013 and throughout 2014 – the genesis of this team appears to be around 2009. The team prefers the use of spear-phishing with malicious document attachments to target victims. Many of the lures observed have been specific to the Ukrainian conflict with Russia and to broader geopolitical issues related to Russia. The team has recently used multiple exploit methods to trap its targets including the use of BlackEnergy crimeware, exploitation of as many as two known vulnerabilities simultaneously, and this newly observed Microsoft Windows zero-day. 

 

More details on this recently detected cyber-espionage attack can be found on the following link:

http://www.isightpartners.com/2014/10/cve-2014-4114/

or

http://www.reuters.com/article/2014/10/14/us-russia-hackers-idUSKCN0I308F20141014