{ "id": "0c525c40-9cb0-429f-b188-6d2f8d0d1fc9", "created_at": "2026-04-06T00:06:17.672573Z", "updated_at": "2026-04-10T03:37:49.740944Z", "deleted_at": null, "sha1_hash": "96f850f203e3968233d7811abffdda7811bae635", "title": "Sandworm Zero Day Vulnerability | iSIGHT Partners", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 285266, "plain_text": "Sandworm Zero Day Vulnerability | iSIGHT Partners\r\nBy By Stephen Ward\r\nPublished: 2014-10-14 · Archived: 2026-04-05 22:22:27 UTC\r\nSandWorm Zero Day Vulnerability Team impacting all versions of Microsoft Windows – used in Russian\r\ncyber-espionage campaign targeting NATO, European Union, Telecommunications and Energy sectors\r\nUPDATE – 10/21/14\r\nSince our disclosure last week of Sandworm Team, the cyber espionage operators who were using the CVE-2014-4114 zero-day, excellent work by others in the community has shed new light on aspects of their behavior we were previously unaware\r\nof. We are still uncovering new facets of this campaign, such as targeting, malware, and innovative command and control\r\nmethods, but perhaps most disconcerting is their interest in the software which runs critical infrastructure.\r\nWe have new details of SCADA system targeting – we are still uncovering more information but you can read these details\r\nhere\r\n——————————————————————————————————————————————————————\r\nLast week, (Thursday, October 16, 2014) iSIGHT Partners held a briefing to any interested parties surrounding the\r\nSandworm Team disclosure – you may access the on-demand version of that briefing here.\r\nALSO – a hat-tip to the team at Recorded Future – an interesting piece of work showing discovery of Sandworm Team IOCs\r\nusing Recorded Future Maltego transforms…check their piece here\r\nOriginal Post\r\nOn Tuesday, October 14, 2014, iSIGHT Partners – in close collaboration with Microsoft – announced the discovery of a\r\nzero-day vulnerability impacting all supported versions of Microsoft Windows and Windows Server 2008 and 2012.\r\nMicrosoft is making a patch for this vulnerability available as part of patch updates on the 14th  – CVE-2014-4114.\r\nExploitation of this vulnerability was discovered in the wild in connection with a cyber-espionage campaign that iSIGHT\r\nPartners attributes to Russia.\r\nVisible Targets\r\nVisibility into this campaign indicates targeting across the following domains. It is critical to note that visibility is limited\r\nand that there is a potential for broader targeting from this group (and potentially other threat actors) using this zero-day.\r\nNATO\r\nUkrainian government organizations\r\nWestern European government organization\r\nEnergy Sector firms (specifically in Poland)\r\nEuropean telecommunications firms\r\nUnited States academic organization\r\nhttps://web.archive.org/web/20160503234007/https:/www.isightpartners.com/2014/10/cve-2014-4114/\r\nPage 1 of 4\n\nRequests for Technical Indicators / For More Information\r\nHigh level details of this campaign – including iSIGHT’s assessment of the actors behind it – can be found below. Further\r\ninformation was provided in a briefing to any interested parties on Thursday, October 16th at 2:00 p.m. eastern – you may\r\naccess the on-demand version of that briefing here.\r\nTo support organizations in determining their potential exposure to this campaign, iSIGHT is making available a broader\r\ntechnical report – inclusive of indicators – through a formal vetting process.\r\nTo request the full technical report, please follow this link and complete the necessary information. Note that you will need\r\nto provide professional credentials including work email and telephone and that iSIGHT may contact you to verify those\r\ncredentials prior to releasing the report.\r\nIf you have a media related inquiry regarding this disclosure, please contact iSIGHT at 703.994.9349 or by sending email\r\nto isightpartners@okco.com.\r\nHigh Level on Sandworm – Cyber Espionage Campaign Attributed to Russia\r\nAs part of our normal cyber threat intelligence operations, iSIGHT Partners is tracking a growing drum beat of cyber\r\nespionage activity out of Russia.\r\nWe are actively monitoring multiple intrusion teams with differing missions, targets and attack capabilities. We are tracking\r\nactive campaigns by at least five distinct intrusions teams.\r\nFor example, we recently disclosed the activities of one of those teams (dubbed Tsar team) surrounding the use of mobile\r\nmalware. This team has previously launched campaigns targeting the United States and European intelligence communities,\r\nmilitaries, defense contractors, news organizations, NGOs and multilateral organizations. It has also targeted jihadists and\r\nrebels in Chechnya.\r\nWe are attributing this particular cyber-espionage campaign to a different intrusion team that iSIGHT has dubbed\r\n‘Sandworm Team’ based on its use of encoded references to the classic science fiction series Dune in command and control\r\nURLs and various malware samples.\r\nThe team has been previously referred to as Quedach by F-Secure, which detailed elements of this campaign in September\r\n2014 but only captured a small component of the activities and failed to detail the use of the zero-day vulnerability.\r\niSIGHT Partners has been monitoring the Sandworm Team’s activities from late 2013 and throughout 2014 – the genesis of\r\nthis team appears to be around 2009. The team prefers the use of spear-phishing with malicious document attachments to\r\ntarget victims. Many of the lures observed have been specific to the Ukrainian conflict with Russia and to broader\r\ngeopolitical issues related to Russia. The team has recently used multiple exploit methods to trap its targets including the use\r\nhttps://web.archive.org/web/20160503234007/https:/www.isightpartners.com/2014/10/cve-2014-4114/\r\nPage 2 of 4\n\nof BlackEnergy crimeware, exploitation of as many as two known vulnerabilities simultaneously, and this newly observed\r\nMicrosoft Windows zero-day.\r\nSome chronological details on Sandworm’s targeting…\r\nThe NATO alliance was targeted as early as December 2013 with exploits other than the zero-day\r\nGlobSec attendees were targeted in May of 2014 with exploits other than the zero-day\r\nJune 2014\r\nBroad targeting against a specific Western European government\r\nTargeting of a Polish energy firm using CVE-2013-3906\r\nTargeting of a French telecommunications firm using a BlackEnergy variant configured with a Base64-\r\nencoded reference to the firm\r\nIn late August, while tracking the Sandworm Team, iSIGHT discovered a spear-phishing campaign targeting the Ukrainian\r\ngovernment and at least one United States organization. Notably, these spear-phishing attacks coincided with the NATO\r\nsummit on Ukraine held in Wales.\r\nOn September 3rd, our research and labs teams discovered that the spear-phishing attacks relied on the exploitation of a\r\nzero-day vulnerability impacting all supported versions of Microsoft Windows (XP is not impacted) and Windows Server\r\n2008 and 2012. A weaponized PowerPoint document was observed in these attacks.\r\nThough we have not observed details on what data was exfiltrated in this campaign, the use of this zero-day vulnerability\r\nvirtually guarantees that all of those entities targeted fell victim to some degree.\r\nWe immediately notified targeted entities, our clients across multiple government and private sector domains and began\r\nworking with Microsoft to track this campaign and develop a patch to the zero-day vulnerability.\r\nWorking with Microsoft, we discovered the following:\r\nAn exposed dangerous method vulnerability exists in the OLE package manager in Microsoft Windows and Server\r\nImpacting all versions of the Windows operating system from Vista SP2 to Windows 8.1\r\nImpacting Windows Server versions 2008 and 2012\r\nWhen exploited, the vulnerability allows an attacker to remotely execute arbitrary code\r\nThe vulnerability exists because Windows allows the OLE packager (packager .dll) to download and execute INF\r\nfiles. In the case of the observed exploit, specifically when handling Microsoft PowerPoint files, the packagers allows\r\na Package OLE object to reference arbitrary external files, such as INF files, from untrusted sources.\r\nThis will cause the referenced files to be downloaded in the case of INF files, to be executed with specific commands\r\nhttps://web.archive.org/web/20160503234007/https:/www.isightpartners.com/2014/10/cve-2014-4114/\r\nPage 3 of 4\n\nAn attacker can exploit this vulnerability to execute arbitrary code but will need a specifically crafted file and use\r\nsocial engineering methods (observed in this campaign) to convince a user to open it\r\nCoordinated Disclosure\r\nOver the past 5 weeks, iSIGHT Partners worked closely with Microsoft to track and monitor the exploitation of this\r\nvulnerability in the wild, share technical information to assist in the analysis of the vulnerability and the development of a\r\npatch, and coordinate disclosure to the broader security community.\r\nAlthough the vulnerability impacts all versions of Microsoft Windows – having the potential to impact an enormous user\r\npopulation – from our tracking it appears that its existence was little known and the exploitation was reserved to the\r\nSandworm team.\r\nGiven that affected parties were notified and that we did not witness a major surge / broader propagation of the exploit based\r\nupon our visibility into the team’s command and control infrastructure, we elected to time the disclosure to the availability\r\nof a patch. This timing minimizes the potential for other bad actors to take advantage of the vulnerability.\r\nShould we have witnessed a major change, both Microsoft and iSIGHT Partners were ready to release this information in\r\nadvance of the patch.\r\nThe application of this patch should be done as soon as humanly possible given the potential for further exploitation by this\r\ncyber espionage team and others in the threat actor community.\r\nMicrosoft is detailing a list of workarounds to the vulnerability as part of its bulletin – these workarounds should help\r\nmitigate the risk of exploitation while the patching process unfolds for your firm.\r\nRequests for Technical Indicators\r\nAs mentioned at the beginning of this blog, iSIGHT is providing indicators of compromise to all concerned parties through a\r\nvetting process to assist organizations in analyzing their potential exposure. To request the technical report click here.\r\nTags active cyber espionage campaigns blackenergy malware crimeware CVE-2014-4114 cyber crime cyber espionage\r\ncyber intel cyber intelligence cyber readiness cyber risk assesment cyber risk reduction cyber threat intelligence cyber\r\nthreats fusing threat intelligence isight partners russian cyber espionage ukraine sandworm team threat intel threat\r\nintelligence zero day windows zero-day discovery zero-day malware zero-day windows malware\r\nSource: https://web.archive.org/web/20160503234007/https:/www.isightpartners.com/2014/10/cve-2014-4114/\r\nhttps://web.archive.org/web/20160503234007/https:/www.isightpartners.com/2014/10/cve-2014-4114/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://web.archive.org/web/20160503234007/https:/www.isightpartners.com/2014/10/cve-2014-4114/" ], "report_names": [ "cve-2014-4114" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433977, "ts_updated_at": 1775792269, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/96f850f203e3968233d7811abffdda7811bae635.pdf", "text": "https://archive.orkl.eu/96f850f203e3968233d7811abffdda7811bae635.txt", "img": "https://archive.orkl.eu/96f850f203e3968233d7811abffdda7811bae635.jpg" } }