Skip to main content

Russian hackers spy on Nato and the West using Sandworm

Russian hackers have used the Sandworm vulnerability to successfully spy on Nato and other western government computers by taking advantage of a bug in Microsoft’s Windows operating system.

Read more: Russia toys with idea of a country-wide controlled private Internet

A spokesperson for Nato confirmed that it is investigating the attack and there is speculation that the hackers have been attempting to glean information about the ongoing situation in Ukraine.

"Nato is looking into evidence of potential hacking or other exploitations on its networks that are linked to the Internet, in light of this report. This analysis is being conducted by our experts using knowledge gained from previously mitigated cyber-campaigns against Nato, to asses any potential ramifications. No impact is expected on Nato's classified operational networks, which are isolated from the Internet,” read a statement from Nato, according to the BBC.

Microsoft has already moved to fix the problem and will roll out an automatic update to all affected versions of Windows, though it failed to point out which versions these are.

Sandworm got its name due to a reference to the science fiction series Dune in the software code and various other victims have been targeted including Ukraine, Poland, energy, telecommunications and defence firms, plus delegates from the GlobSec conference on defence.

iSight Partners, a cyber-intelligence firm, claims that the hacking campaign has been rolling along for five years though the zero-day vulnerability in Windows has only been used since August and the campaign has been far more damaging since.

iSight’s report on the vulnerability, which is also known as Quedagh, explains that Nato was sent a document in December 2013 about European diplomacy that had malicious software embedded into it. Similar emails were forwarded to regional governments in Ukraine and a prominent academic working on Russia in the US.

"The malware has been around for years - it used to be a denial-of-service bot called Black Energy which these hackers have repurposed for their needs," added senior reseacher Mikko Hypponen. "The interesting thing is that when it is detected by IT staff it will show up as Black Energy, which they will see as a very old run-of-the-mill bug that didn't do much."

Read more: Is Russia behind highly advanced new malware?

iSight couldn’t say if the hackers have ties to the Russian government though an analyst did add that the campaign bears all the hallmarks of being supported by a nation state due to the fact it is collecting data and not making money.

Image Credit: Flickr (Contando Estrelas (opens in new tab))Porthole Ad

Jamie Hinks

Jamie is a freelance writer with over eight years experience writing for online audiences about technology and other topics. In his time writing for ITProPortal he wrote daily news stories covering the IT industry and the worldwide technology market, as well as features that covered every part of the IT market, from the latest start ups to multinational companies and everything encompassed by the IT sector. He has also written tech content for our sister publication, TechRadar Pro. Jamie has since moved into sports betting content and is Content Manager at Betbull.