Russian Hackers Tracking Ukraine Crisis Stole NATO Data

Russian hackers targeted sensitive documents related to the recent NATO summit in Wales, using a security flaw in Microsoft Windows that affects tens of millions of computers, according to a report by a security firm.

The attack was part of a two-year Russian espionage campaign reflecting Russia’s growing appetite for intelligence on the U.S. and European response to its moves in Ukraine and elsewhere. The hackers were after so much information in such a rush that they made mistakes that have partially lifted the veil on the country’s spying efforts, according to iSight Partners, the Dallas-based security firm that uncovered the campaign.

The state-sponsored hackers hit dozens of computers belonging to the governments of Ukraine and at least one Western Europe nation, NATO and a Polish energy company, in some cases using a zero-day vulnerability in Microsoft Windows, one of the most common computer operating platforms in the world, iSight analysts found.

A zero-day flaw, so called because programmers are aware of it for zero days when it’s first exploited, likely allowed the hackers to infiltrate otherwise secure computers, grabbing e-mails, Power Point presentations and encryption keys for sensitive documents, iSight researchers said.

“You can lock the front door to your house all you want, but if I use the garage door opener to get in through the side it makes my job pretty easy,” said Chase Cunningham, a cybersecurity expert for FireHost Inc., in Richardson, Texas.

Microsoft is patching the flaw today, according to a company statement.

NATO Agenda

The North Atlantic Treaty Organization summit in early September, hosted by U.K. Prime Minister David Cameron and attended by President Barack Obama, was part of the alliance’s effort to develop a unified response to Russia’s support for Ukrainian separatists. Also on the agenda were European and American plans for confronting Islamic extremists in Iraq and Syria. Broad policy statements were released publicly, but much of the real planning occurred in secret.

John Hultquist, iSight’s senior manager for cyber-espionage threat intelligence, said the hackers might have been targeting Ukrainian officials preparing for the meeting, which was attended by Ukrainian President Petro Poroshenko.

Because of the type of information stolen, the use of a rare zero-day vulnerability and the targeting method, there’s little doubt the hackers were state-sponsored, either employed by Russia or hired as contractors, Hultquist said.

Limited Interest

“It’s just the nature of the game,” Hultquist said. “There are only a few people in the world who would be really interested in this stuff and would have the tools to get it.”

The report says the hacking group, which iSight calls the Sandworm Team, has been operating at least since 2009. The name comes from the hackers’ references to the Dune science fiction series.

Russia’s cyberspies are considered among the best in the world, and their intelligence programs are among the few true rivals of the U.S. National Security Agency, according to a former U.S. official who asked not to be identified discussing intelligence assessments.

Russia’s hunger for intelligence has grown rapidly as the government of President Vladimir Putin tries to track the U.S. and European response to its moves, and with that has come mistakes. The Sandworm hackers left some of the servers they used to communicate with targeted computers unguarded, according to the iSight analysis.

Under Pressure

“When you force an A-actor to move quicker, they’re going to take chances that they would not normally take,” said Jeff Schilling, a former operations chief for the U.S. Army Cyber Command and FireHost’s chief security officer. “The people pushing the operational buttons may be asking that something happens by a certain time, and that is going to create pressure.”

The fact that the hackers sprinkled their code with references such as arrakis02 and houseatreides94 left a trail for iSight analysts to follow, and appears to be another mistake. The company also was able to trace the hackers to the targeting of a French telecommunications company, a U.S. think tank and a Polish energy firm, all unnamed.

The zero-day flaw in Microsoft’s platform has existed for years, and may affect tens of millions of computers. It’s present in Windows operating systems from Vista through Windows 8.1, as well as in some of the company’s server packs. The security firm first noticed it in early September and alerted the U.S. government and other clients.

Just Learning

Others, including non-NATO governments, will learn about the vulnerability to their systems only today with the release of Microsoft’s patch.

Microsoft learned about this vulnerability when iSight reported it to the company on Sept. 5, according to a Microsoft spokesman.

Zero-days in Windows are a valuable commodity, and can sell for hundreds of thousands of dollars on the cyber black market. Governments employ contractors and other specialists to scan millions of lines of computer code looking for such flaws.

“Microsoft has said that the move from Windows XP to Windows 7 is supposed to be six times more secure, and the move from Windows 7 to Windows 8 is something like 24 times more secure,” Schilling said. “To find a zero day that can hit so many systems is likely to have quite an impact.”