‘Russians spied on Western governments for years via PowerPoint leak’

Since 2009, Russia has been abusing a zero-day exploit for all versions of Windows from Vista onwards, to spy on Western governments, NATO, multinational corporations and academic institutions. The leak was in PowerPoint.

The spying exploited the new PowerPoint leak, but also two other already known vulnerabilities and the BlackEnergy crimeware. Targets were sent emails with malicious attachments and were infected after opening the specially crafted presentations. After that, the attackers were able to remotely execute code on the affected systems. In addition to the Windows versions mentioned, Windows Server 2008 and 2012 were also vulnerable, but Windows XP is not susceptible.

With Operation Sandworm, Russia focused on obtaining documents and e-mails with information about Russia itself, Ukraine and other intelligence about the region, as well as getting ssl keys and certificates. Sandworm, named after the large sandworms from the Dune books, was discovered by security company iSight, in collaboration with Microsoft. Other references to Dune, such as ‘arrakis02’, ‘houseatreides94’ and ‘epsiloneridani0’, could be distilled from the URLs of ‘control & command’ servers used by the attackers.

In addition to Western governments and NATO, the energy sector in Poland in particular, the European telecommunications sector and American academic institutions were demonstrably targeted, iSight notes, but the company says that the zero day may have been misused for more targets by more parties.

The vulnerability exploited Windows’ ability to download and run inf files via packager.dll. Particularly with PowerPoint files, according to iSight, the packager allows Package OLE objects to reference external inf files from untrustworthy sources. Microsoft has since patched the leak.