Microsoft Windows Flaw Let Russian Hackers Spy On NATO, Report Says

Oct 14, 2014
Originally published on October 14, 2014 6:41 pm

A group of hackers, allegedly from Russia, found a fundamental flaw in Microsoft Windows and exploited it to spy on Western governments, NATO, European energy companies and an academic organization in the United States.

That's according to new research from iSight Partners, a Dallas-based cybersecurity firm.

Last month, the U.S. and the U.K. were preparing to meet at a NATO summit to talk about Ukraine. Emails were flying back and forth. Different experts were offering to talk at the conference. And in the midst of all the digital traffic, hackers jumped into the conversation.

Patrick McBride, a spokesman with iSight, says the hackers targeted specific officials using a well-known kind of attack called spear-phishing. Hackers would craft a message with a PowerPoint document attached. For example, they'd say, "We'd like to be involved in the conference."

And when an unknowing recipient opened the corrupted PowerPoint, the file was exploited to load a piece of malware onto the computer that the attacker could then use later to "exfiltrate documents," McBride says.

The hacker group, dubbed the "Sandworm Team," allegedly pulled emails and documents off computers from NATO, Ukrainian government groups, Western European government officials, and energy sector and telecommunications firms.

In the mad dash to grab information, McBride says, the hackers got a little sloppy and dropped hints about their identity. He says they're Russian, "but we can't pinpoint if they work for the Russian government or work in a particular department in the government."

The Russian embassy did not immediately respond to NPR's inquiry. Microsoft says that Tuesday, it's patching the security flaw so that PowerPoint and other Office products can't be exploited again in the same way.

Lonnie Benavides, a researcher with the cybersecurity services firm DocuSign, says if the findings are true, they represent an interesting turn of events. "Typically Russians stick to making money, stick to stealing credit cards and identities as far as trends go," he says.

Federal authorities are investigating the role of Russian hackers in the major breach against JPMorgan Chase.

Benavides says Russia provides an enabling environment for cyber offenses — whether it's crime like stealing credit cards, or espionage to steal state secrets — because the country has some very talented hackers who do not get prosecuted.

"I'm certainly not seeing waves of people that are being put in jail, in order to send a message, in order for this to stop," he says.

Even though the iSight report points to code that was in the Russian language, Benavides would not jump to the conclusion that the hacker group is state-sponsored or even from Russia. "There's an attribution problem," he says.

Copyright 2017 NPR. To see more, visit http://www.npr.org/.

AUDIE CORNISH, HOST:

A group of hackers - allegedly from Russia - found a fundamental flaw in Microsoft Windows. And they're believed to have exploited it to spy on Western governments, on NATO, on European energy companies and on an academic organization here in the U.S. Now this is all according to new research from a cyber-security firm called iSight Partners. NPR's Aarti Shahani has the story.

AARTI SHAHANI, BYLINE: Last month, the U.S. and the U.K. were preparing to meet at a NATO summit - the North Atlantic Treaty Organization - to talk about Ukraine. E-mails were flying back and forth. Different experts were offering to talk at the conference. And in the midst of all that digital traffic, hackers jumped into the conversation. Patrick McBride, a spokesman with iSight, says they targeted specific officials.

PATRICK MCBRIDE: So you would craft a message, it might have an attachment with a PowerPoint in it, say hey, you know, take a look at this PowerPoint, see if that makes sense. We'd like to be involved in the conference, for example. Or any number of other things that might get the attention.

SHAHANI: A hacker group found a vulnerability in Microsoft software and launched a well-known kind of attack called spear phishing. When an unknowing recipient opened the corrupted PowerPoint, the file was exploited.

MCBRIDE: To load a piece of malware onto the computer that the attacker can then use later.

SHAHANI: The hacker group called the Sandworm team allegedly pulled e-mails and documents off computers from NATO, Ukrainian government groups, Western European government officials and energy sector and telecommunications firms. In the mad dash to grab information, McBride says, the hackers got a little sloppy and dropped hints about their identity.

MCBRIDE: It's Russian actors, but we can't pinpoint that, you know, they work for the Russian government or they work in a particular department in the government.

SHAHANI: The Russian Embassy did not immediately respond to NPR's inquiry. And Microsoft says that today it's patching the security flaw so that PowerPoint and other office products can't be exploited in the same way.

Lonnie Benavides, a security researcher with the cyber-security services firm DocuSign, says if the findings are true they represent an interesting turn of events.

LONNIE BENAVIDES: Typically, Russians I guess stick to making money, right? They stick to stealing credit cards and identities as far as trends go.

SHAHANI: Federal authorities are investigating the role of Russian hackers in the major breach against J.P. Morgan. Benavides says Russia provides an enabling environment for cyber-crime like stealing credit cards and for cyber-espionage like stealing state secrets because the country has some very talented hackers who don't get prosecuted.

BENAVIDES: I've certainly not seen waves of people that are being put in jail in order to send a message in order for this to stop.

SHAHANI: Even though the iSight report points to code that was in the Russian language, Benavides would not jump to the conclusion that the hacker group is state-sponsored or even from Russia. Aarti Shahani, NPR News. Transcript provided by NPR, Copyright NPR.