- Sep 21, 2014
- Reaction score
Russian hackers exploited a bug in Microsoft's Windows to spy on computers used by Nato and western governments, a report indicates.
The same bug was used to access computers in Ukraine and Poland, said cyber-intelligence firm iSight Partners.
It did not know what data the hackers had accessed but speculated that it was looking for information about the crisis in Ukraine.
Microsoft said it would fix the bug.
A spokesman said that the company would roll out an automatic update to affected versions of Windows.
A spokesman for the North Atlantic Treaty Organization later issued the following statement.
"Nato is looking into evidence of potential hacking or other exploitations on its networks that are linked to the internet, in light of this report.
"This analysis is being conducted by our experts using knowledge gained from previously mitigated cyber-campaigns against Nato, to asses any potential ramifications.
"No impact is expected on Nato's classified operational networks, which are isolated from the internet."
The hacking campaign has been dubbed Sandworm because the researchers found reference to the science fiction series Dune in the software code.
Other victims include energy, telecommunications and defence firms, delegates of the GlobSec conference about national security and an academic who was an expert in Russian-Ukraine relations.
The hacking campaign had been going on for five years, although the use of the so-called zero-day vulnerability in Windows (meaning a bug that Microsoft was not previously aware of) began only in August this year and allowed the hackers to ramp up their campaign and target more sources.
Although iSight could not say whether the hackers had ties with the Russian government, one senior analyst said he thought the campaign was supported by a nation state because the hackers were engaged in information-gathering rather than making money.
In a 16-page report, iSight explained how, in December 2013, Nato was targeted with a document purporting to be about European diplomacy but with malicious software embedded in it.
At the same time, several regional governments in the Ukraine and an academic working on Russian issues in the US were sent malicious emails, claiming to contain a list of pro-Russian extremist activities.
Other research firms, including F-Secure have previously reported on the Sandworm bug - albeit under another name, Quedagh.
Senior researcher Mikko Hypponen said that the malware had gone undetected for years because it had been repackaged from an even older bug.
"The malware has been around for years - it used to be a denial-of-service bot called Black Energy which these hackers have repurposed for their needs."
"The interesting thing is that when it is detected by IT staff it will show up as Black Energy, which they will see as a very old run-of-the-mill bug that didn't do much."
The iSight research team said that it was tracking a "growing drum beat" of cyber-espionage activities emanating from Russia.
The ex-Soviet states had always been the number one source of malware, agreed Mr Hypponen and, since the Ukraine crisis, he too has also seen a rise in the number of espionage-based attacks.
"Although we have also seen as many attacks from the Quedagh bug in Poland as in Ukraine and we can't really explain that," he said.