A closer look at the Sandworm cyber espionage threat

8

Dune is my favorite book of all time. I have read the original Dune trilogy more than once, and I have read many of the subsequent and peripheral titles related to the epic Dune saga. I used to own and study the Dune Encyclopedia to learn about the back stories and obscure references in the Frank Herbert books. I recently hooked my 12-year old son on the Dune series, just as my father before me did when I was around 12. Apparently the creators of the cyber espionage campaign dubbed “Sandworm” are fans as well.

Reports have emerged of this new cyber espionage campaign that appears to originate from Russia. It targets government leaders and agencies, and seems to have been in operation since at least 2009. It relies in part on exploiting a zero day vulnerability that affects all supported versions of Windows—a flaw that Microsoft issued a patch for in the October Patch Tuesday updates.

According to a story in Wired, “The researchers dubbed the operation “Sandworm” because the attackers make multiple references to the science fiction series Dune in their code. Sandworms, in the Frank Herbert books, are desert creatures on the planet Arrakis who are worshipped as god-like entities.”

Although the circumstantial evidence seems to indicate that Sandworm is based in Russia, it’s difficult to arrive at that conclusion with absolute confidence. Alex Gostev, chief security expert for the Global Research and Analysis Team of Kaspersky Lab, points out, “Cybercriminals may leave traces indicating that they speak a certain language or belong to a certain ethnic group in order to mislead investigators. Moreover, people in many post-Soviet countries communicate in Russian, particularly in the information technology sector. Therefore, making conclusions about a ‘Russian’ trace based on this evidence is ill-advised. The files/documents that the cybercriminals are after do not provide sufficient evidence from which to draw firm conclusions either.”

Regardless of where the threat originates from, it is still a cyber-espionage campaign that has been targeting victims for years. Tim Erlin, director of IT risk and security strategy for Tripwire, points out that other attackers may also have exploited these same vulnerabilities, though, so you shouldn’t let your guard down simply because your organization isn’t one of the known targets. Erlin adds, “This kind of multi-pronged attack demonstrates the clear need for multiple defensive strategies. Organizations need to think about their security process all the way from the initial targeted user contact through getting the stolen data out of the building.”

It’s wise to take a security issue like this seriously, but it is also prudent not to overreact. Tyler Reguly, security research manager for Tripwire, cautions that the sky is not falling. Reguly points out that this is a serious concern because it’s a zero day flaw that impacts all supported versions of the Windows operating system, but stresses that this is not a Heartbleed or Shellshock type incident.

Ross Barrett, senior manager of security engineering for Rapid7, agrees that organizations shouldn’t panic over Sandworm. “It’s interesting that the discoverers, iSight Partners, found this being used in Russian cyber espionage attacks in the wild, targeting NATO, the European Union, and the telecommunications and energy sectors, but that’s probably the most interesting aspect of it.”

“To start freaking out over issues like this would mean we’d have to start freaking out over every Internet Explorer, Adobe Flash, or Adobe Reader vulnerability that’s patched,” says Reguly. “The alarmist culture that the security industry is starting to adopt is quite frightening. I’m reminded of the 6’o’clock news where the story doesn’t lead if it doesn’t scare the majority of the population. While I, unfortunately, expect this from many in the journalism industry, I have a higher level of expectations for security professionals that understand the issue.”

I agree you shouldn’t freak out or panic. But, if you haven’t already done so, you should make it a priority to apply the MS14-060 update from Microsoft. Sandworm has used attacks in the form of PowerPoint files modified to exploit the vulnerable Package OLE object, which allows the attacker to reference arbitrary external files. MS14-060 is not rated as Critical by Microsoft, but the fact that the zero day flaw is being actively used in the wild gives it a higher sense of urgency.

This post was brought to you by IBM for Midsize Business and opinions are my own. To read more on this topic, visit IBM’s Midsize Insider. Dedicated to providing businesses with expertise, solutions and tools that are specific to small and midsized companies, the Midsize Business program provides businesses with the materials and knowledge they need to become engines of a smarter planet.

Share.

About Author

I have a passion for technology and gadgets--with a focus on Microsoft and security--and a desire to help others understand how technology can affect or improve their lives. I also love spending time with my wife, 7 kids, 3 dogs, 4 cats, 3 rabbits, 2 ferrets, pot-bellied pig and sulcata tortoise, and I like to think I enjoy reading and golf even though I never find time for either. You can contact me directly at tony@xpective.net. For more from me, you can follow me on Twitter, Facebook, Instagram and LinkedIn.