A Russian hacking group has been exploiting a security flaw in Microsoft Windows to spy on NATO, the Ukrainian government, the European Union, an American academic organization, and companies in telecommunications and energy sectors, according to cyber intelligence firm iSight Partners.
The group, which has been active since at least 2009, prefers the use of spear-phishing with malicious document attachments to target victims. The firm has internally dubbed the hacking group “Sandworm Team” after it found references to the science-fiction series “Dune” in their software code.
Citing the choice of targets as well as language clues embedded in the code, the company says it believes the hackers are Russians and are probably working for the government. They also note that there is no indication this is the same group that launched a massive cyberattack on at least five US banks, including JP Morgan Chase, in August this year.
iSight, which has been monitoring the Sandworm Team’s activities from late 2013, said it has evidence that some Ukrainian government computer systems were infected, but the company doesn’t have details on what data was exfiltrated in this campaign.
As for the Windows vulnerability, the security firm says it impacts all supported versions of Microsoft Windows (except Windows XP) and Windows Server 2008 and 2012. This is quite ironic, considering Microsoft said last year that “Windows XP is 21 times more likely to be infected than Windows 8”.
iSight discovered the bug last month, and has already shared it with Microsoft, which plans to release a patch for the vulnerability today as part of its Patch Tuesday release. The security firm also plans to release a detailed report on the hacking incident to its clients today.