Skip to main content

What You Need to Know About the "Sandworm" Exploit

You may have heard about last month's hack of computers belonging to NATO, Ukrainian and European Union representatives. The attack vector was a classic - a loaded email; classic enough that at first I wondered why the attacks were so successful, post-Stuxnet.

Every target opened an email with an infected Microsoft Power Point document. The Power Point was executable. Under ordinary circumstances, users are provided with a security warning that they must over-ride when running and saving executable Power Points. I haven't been able to find confirmation in the news as to whether users read and confirmed these security warnings before running the loaded files; I haven't been able to get my hands on a copy of Sandworm to see for myself, either (please leave a message or email me if you have such a copy).

In some sense, the incompetence entailed in triggering the infection is a bit more forgivable as apparently this infection has been running unabated since its first successful intrusion in 2009. Five years later, presumably world leaders are more savvy about complex attack vectors like downloading attachments from strangers. On the other hand, this infection has been running unabated since its first successful intrusion in 2009. Over the last 15 years I have worked with many companies to resolve security problems. I've seen many best practices ignored, smart security measures over-ridden by lazy employees, critical IT staff replaced incompetents resulting in squandered logs and security infrastructure.

In all of this time I have never seen or in fact heard of a single company, no matter how small, broke or inexperienced, with an ongoing security breach of this magnitude that went completely un-noticed for five years. The length of time involved, the amount of people who had to function with blinders on, the hardware and software changes - all of these things is simply staggering. The only conclusion that can be reached is that for NATO and the European Union, "cyber-security" is another empty buzzword used to drain tax payer money and promote a pack of thieves who know nothing about computers.

With that out of the way, Sandworm is quite a piece of work. The software funnels documents and emails containing intelligence and diplomatic information about Ukraine and Russia and send them back to Sandworm's admins. SSL keys and certificates get ripped off as well. These could be used for a whole host of nasty things, but at the least they would be used to fool email recipients into downloading infected attachments by using email servers with fraudulent certificates. Yet another sign that SSL cannot and should not be trusted for identity-verification purposes.

Sandworm impacts every version of Windows including and after Vista, including Server 2012.

The bug does show its age a bit. For example, it tries to install BlackEnergy, a malware platform that was the absolute sh*t back in 2008 but which is all of useless today. The tool was used to launch DDoS attacks during the great Georgian cyber war - more evidence linking Sandworm to Russian nationals. One can only imagine the consequences should Sandworm had used a newer DDoS platform: what kind of international incident would have resulted from NATO launching a Denial of Service against Ukraine?

The security firm iSight was responsible for catching the mess. You can get a peek at their publicized report by way of the Washington Post.

There are a few simple suggestions that reduce one's susceptibility to Sandworm and bugs like it. First and foremost, despite how the popularity of attachments, email is not a file transfer protocol. Particularly in environments demanding security (like NATO, for gods-sake), email servers should strip attachments from emails. Forwarding the attachments to a DMZ fileserv can allow users to retain the ability to download critical attachments without ensuring infection when users download all of their messages prior to reviewing them using mail client.

PowerPoint has no place in a mission-critical secure environment. There are other options providing the same functionality without being targeted as aggressively for infection. In large organizations, there is no reason why laptops specifically for presentations cannot be assigned. Restrict the ability to install applications on these laptops and limit their access to secure networks. Time and again we hear stories of diplomats and officials taking their office computers to conferences attended by unfriendly governments, only to have those computers compromised. Present at the conferences. Work at the offices. Avoid career-ending embarrassment and international incidents. Its computer science, not rocket science.