### Russian Cyber Espionage Campaign - Sandworm Team ###### Microsoft Windows Zero-day – Targeting NATO, EU, Telecom and Energy Sectors CVE – 2014 - 4114 #### An iSIGHT Partners Overview ----- ######  Cyber Espionage Campaign attributed to Russia – Targeting includes ###### • NATO • Ukraine • Poland ###### • European Union • European Telecommunications • Energy Sector ###### – Attribution to one of 5 active Russian intrusion teams monitored by iSIGHT Partners – “Sandworm Team”  Named for its affinity for/coded references to science fiction series Dune  Campaign partially detailed by researchers at F-Secure and ESET – captured only a small component of targeting and missed critical elements  Utilizing Zero-day flaw in Microsoft Windows (CVE-2014-4114) – Spear-phishing campaign using weaponized Microsoft Office documents  Visibility into multiple PowerPoint lures – Impacts all versions of Windows from Vista to 8.1  Windows Server 2008, 2012  Flaw has existed for years – Zero-day nature of vulnerability leads to conclusion that intrusion efforts were highly effective – Close collaboration between iSIGHT Partners and Microsoft - patch is being released on T d O t b 14[th] ----- ######  Monitoring Sandworm Team from late 2013 and throughout 2014 – Genesis of team dates to as early as 2009 – Increased activity throughout 2014  Visibility into this specific campaign began in December of 2013 – NATO alliance targeted as early as December 2013 – GlobeSec attendees targeted in May 2014 – June 2014 - Western European government agency - Polish energy firm targeted using CVE-2013-3906 - BlackEnergy variant configured with Base64-encoded reference to French telecommunications firm ###### – Zero-day artifacts captured late August/early September (CVE-2014-4114) - Spear-phishing email and exploit targeting Ukranian government - Coinciding with NATO summit on Ukraine in Wales - At least one US organization fell victim – think tank/academia ######  iSIGHT Partners labs team discovered use of zero-day vulnerability on September 3, 2014  Immediately notified targeted parties, clients across multiple government and private sector domains  Began working with Microsoft on September 5, 2014 – Provided technical analysis of vulnerability and the malware used to exploit it – Coordinated tracking of campaign - Monitoring for broader targeting and victimization - Monitoring for broader use of zero-day exploit in the wild ######  Purposely timing disclosure to coincide with the release of the patch ----- # 2009 2013 2014 ###### September 2014 - Zero-day artifacts captured (CVE-2014-4114) - Spear-phishing email/exploit targeting Ukrainian government - Coinciding with NATO summit on Ukraine in Wales - At least one US org fell victim (think tank/academia ###### September 3, 2014 September 5, 2014 - iSIGHT Partners labs discovers - Began working with Microsoft zero-day vulnerability - Provided technical analysis of vulnerability and malware used in exploit - Immediately notified targeted parties - Coordinated tracking of campaign and clients across government and – Monitoring for broader targeting and victimization private sector domains – Monitoring for broader use of zero-day exploit in the wild ###### Timeline - - - ----- ###### Poland NATO Sand Worm Team Ukraine France Known Targets ----- ###### Diplomacy spear-phishing attachment ###### Spear-phishing attachment GlobeSec Forum on Russia ----- #### y p g ######  Marked increase in cyber espionage activities linked to Russia – Russia is increasing its cyber-espionage focus and the volume is up in 2014 – iSIGHT recently detailed activities of Tsar Team  Mobile malware targeting multiple platforms – Android, Windows, IOS  Targets include – Foreign militaries – Defense contractors – Ministries of foreign affairs – News organizations – NGOs and multilaterals – Jihadists  Sandworm is one of 5 active cyber intrusion teams linked to Russia being monitored by iSIGHT Partners – Activities date back as far as 2009 – Identified through overlapping infrastructure, use of traditional crimeware, unique references to Dune – Team has an affinity for using traditional cyber crime tools as a component of its activities  BlackEnergy malware – Used at least 2 versions of BlackEnergy » BlackEnergy 2 – traditional crimeware » BlackEnergy 3 (Lite) - No documented use in crime – may have been purpose built for Sandworm – Samples tied on basis of configuration to same combination of internal |Col1|Col2| |---|---| |Social engineering is designed to appeal to personnel involved in military and intelligence operations against Russia such as a list of pro- Russian “terrorists” sent in an email.|| ###### iSIGHT Partners believes Sandworm Team has Russian #### 1 origins based on several factors: Files retrieved from an open directory on a command and control server included a directory listing in Russian and a help file for the BlackEnergy Trojan also written in Russian Known targeting is consistent with antagonists to NATO as well as Ukrainian #### 2 and European Union governments. #### 3 Social engineering is designed to appeal to personnel involved in military and intelligence operations against Russia such as a list of pro- Russian “terrorists” sent in an email. BlackEnergy source code was released #### 4 through Russian e-crime channels. ----- ######  Growing trend of blurred lines across cyber threat domains – Not just in Russia but more pronounced here recently  Russian overlap – Links between criminal activity and cyber espionage activity is not uncommon  Tools  Talent – Some examples…  Zeus used in massive espionage campaign against US Government in 2008 and again in 2012  Pro-Russian hacktivism used BlackEnergy in the past during Georgian conflict  Russians allegedly contracted a cyber crime actor in Georbot campaign against Georgia – Attributed to Eshkinkot – Russian national named Vladimir A. Lenskij – Georgie CERT claimed to have captured e-mail messages and docs from Russian handlers » Instructing on how to use malware to record audio » Capture screen shots » Exfiltrate data ######  TEMP.Noble (another Russian intrusion actor monitored by iSIGHT) – Sensitive source indicates that malware components were developed through for hire cyber crime forum ###### – BlackEnergy  Criminal actors  Sandworm Team ----- ######  Affects all supported versions of Microsoft Windows – Windows Vista x64 Service Pack 2 – Windows Vista Service Pack 2 – Windows Server 2008 R2 x6 Service pack 1 – Windows Server 2008 Services Pack 2 – Windows Sever 2008 x64 Service Pack 2 – Windows Server 2012 – Windows Server 2012 R2 – Windows 7 Service pack 1 – Windows 7 x64 Service Pack 1 – Windows 8 x64 – Windows 8 – Windows 8.1 x64 – Windows 8.1 – Windows RT – Windows RT 8.1  Does not appear to affect Windows XP #####  Exposed, dangerous method vulnerability ###### – OLE package manager in Microsoft Windows and Server – Vulnerability allows an attacker to remotely execute arbitrary code – Windows allows OLE packager (packager .dll) to download and execute INF files – In case of observed exploit, specifically when handling Microsoft PowerPoint files:  Packager allows a Package OLE object to reference arbitrary external files (such as INF) from untrusted sources  Causes referenced files to be downloaded and executed with specific commands  Attacker can exploit to execute arbitrary code  Needs specifically crafted file and social engineering methods to convince user to open ----- ######  iSIGHT Partners follows Responsible disclosure procedures – Targeted entities – Government and Law Enforcement – Impacted Software vendor(s)  Microsoft  Disclosed identification of zero-day 2 days after analysis – Began immediate collaboration with Microsoft  Supporting development of a patch  Tracking utilization of the vulnerability in the wild  Timed disclosure to minimize the potential for broader victimization – Patch ready for release Tuesday, October 14[th] – “Break in case of emergency” plan in place for past 5 weeks  Trigger: Broader propagation of malware targeting vulnerability  Trigger: Evidence of broader victimization ----- ######  Disable the WebClient Service – Impact  Web Disributed Authoring and Versioning (WebDAV) requests are not transmitted  Any service depending on Web Client service will not start  Block TCP ports 139 and 445 – Impact  Ports 139 and 445 are used for additional services including Common Internet File System (CIFS), DNS Administration, NetBT service sessions, printer sharing sessions and more  Disabling could affect functionality of those services  Block launching of Executables via Setup Information Files – Impact  Applications that rely on the use of .INF file to execute an installer application may not automatically execute -----