Russian hackers exploit Windows zero-day flaw to target Ukraine, US organizations

The vulnerability allows for arbitrary code execution and affects many versions of Windows and Windows Server

A cyberespionage group operating out of Russia has launched malware attacks against the Ukrainian government and at least one U.S.-based organization through a previously unknown vulnerability that affects most versions of Windows.

The group, which has been dubbed the Sandworm team, has been actively attacking organizations like the NATO alliance, energy firms and telecommunication companies since 2013, but its latest campaign leveraging the new Windows zero-day flaw was identified in late August by researchers from security firm iSight Partners.

The company made some of its findings public early Tuesday in coordination with Microsoft, which plans to release a patch for the vulnerability later in the day.

The attack used spear-phishing emails containing a malicious PowerPoint document that was created to exploit the new vulnerability. The campaign coincided with the NATO summit in Wales that focused on the conflict in Ukraine, the iSight researchers said in a blog post.

"Though we have not observed details on what data was exfiltrated in this campaign, the use of this zero-day vulnerability virtually guarantees that all of those entities targeted fell victim to some degree," the researchers said.

After the exploit was shared with Microsoft in early September, it was determined that the vulnerability is located in the Object Linking and Embedding (OLE) package manager and that it affects all versions of the Windows operating system from Vista Service Pack 2 to Windows 8.1, as well as Windows Server 2008 and 2012.

"The vulnerability exists because Windows allows the OLE packager (packager.dll) to download and execute INF files," the iSight researchers said. "In the case of the observed exploit, specifically when handling Microsoft PowerPoint files, the packager allows a Package OLE object to reference arbitrary external files, such as INF files, from untrusted sources."

Attackers can leverage this vulnerability to execute arbitrary code, but will need to trick users to open a specifically crafted file first by using social engineering techniques, something that was observed in this campaign.

"Although the vulnerability impacts all versions of Microsoft Windows -- having the potential to impact an enormous user population -- from our tracking it appears that its existence was little known and the exploitation was reserved to the Sandworm team," the iSight researchers said. Nevertheless, Windows administrators should apply the patch "as soon as humanly possible" once it becomes available, as the flaw has potential to be exploited by other attackers, the researchers said.

"Whilst the technical detail of the Sandworm vulnerability has thankfully been held back until the patch was ready from Microsoft, if the descriptions of the bug are accurate it could be a major attack vector for hackers to infiltrate corporate systems for further exploitation and exfiltration of confidential information," said Gavin Millard, EMEA technical director at Tenable Network Security, via email. "When zero day exploits associated with common file formats are exposed, malware to take advantage of it quickly follows."

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags patchesMicrosoftsecurityiSight PartnersTenable Network SecurityspywareExploits / vulnerabilitiesmalware

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles


GGG Evaluation Team

Kathy Cassidy


First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni


For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell


The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi


The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott


My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?