Behold the Russian Sandworm
Patrick Kelly /
Earlier this month, it was discovered that a sophisticated cyber espionage campaign had been targeting Western government leaders and institutions—including the North Atlantic Treaty Organization, energy and telecommunication companies, the Ukrainian and European Union governments, and one academic inside the United States—for almost 5 years.
Dubbed “Sandworm,” a reference to the science fiction series Dune, the (likely) Russian-based phishing campaign exploited a zero-day vulnerability—software flaws unknown to the developer and/or public. This particular flaw affected how Microsoft’s Windows operating system handles PowerPoint files, allowing the hackers to spread malware. iSight Partners, the cyber threat intelligence company that uncovered the furtive campaign, claims Sandworm focused on the collection of information about Ukraine, Russia, and other regional issues. The group also used a version of BlackEnergy—a tool popular among cyber criminals for spreading malware, which gained notoriety following attacks on Georgian systems during the Russo–Georgian War in August 2008.
Sandworm’s cyber espionage campaign was relatively simple in execution: The group sent e-mails that lured unsuspecting computer users into downloading the infected files—reportedly these offered information on a wide range of subjects, including military intelligence about separatist rebels in southeastern Ukraine. This allowed Sandworm to steal documents containing valuable diplomatic and military information, allowing the hackers to spread malware within other systems. Those attending this year’s GlobSec conference—a global security and foreign policy forum—in Slovakia were, likewise, targeted with infected e-mails.
Zero-day vulnerabilities represent a serious problem that is difficult for both companies and government organizations to resolve because they are—by definition—unknown flaws. Furthermore, the continued exploitation of zero-day vulnerabilities underscores the need for cyber resilience and the ability to recover quickly after an attack. One proposed form of such resiliency is cyber insurance: As software manufacturers and service providers increasingly become liable for cyber intrusions, they will internalize the negative costs of a breach, thus modifying their behavior and incentivizing reasonable precautions without governmental action. Cyber insurance likely could help companies manage costs, while risk-based insurance premiums would encourage better cybersecurity practices.
If nothing else, Sandworm illustrates the vulnerabilities within our current system and the need for a robust cyber defense policy to prevent would-be aggressors, including state-sponsored organizations, from jeopardizing America’s national interests.
Patrick Kelly is currently a member of the Young Leaders Program at The Heritage Foundation. For more information on interning at Heritage, please click here.