Windows Flaw Allowed Hackers To Spy On NATO, Ukraine, Others

An anonymous reader writes: Reuters reports that a cybersecurity firm has found evidence that a bug in Microsoft's Windows operating system has allowed hackers located in Russia to spy on computers used by NATO, Ukraine, the European Union, and others for the past five years. Before disclosing the flaw, the firm alerted Microsoft, who plans to roll out a fix on Tuesday. "While technical indicators do not indicate whether the hackers have ties to the Russian government, Hulquist said he believed they were supported by a nation state because they were engaging in espionage, not cyber crime. For example, in December 2013, NATO was targeted with a malicious document on European diplomacy. Several regional governments in the Ukraine and an academic working on Russian issues in the United States were sent tainted emails that claimed to contain a list of pro-Russian extremist activities, according to iSight."

Hilarious

[Anonymous Coward]

Russians using American software to spy on NATO. The irony is mind blowing.

Re:Hilarious

[nukenerd]

... unsolicited email is bad, NATO and other sensitive document handling people, ok?

If NATO or any other agency working on defence or international relations issues receives an unsolicited email purporting to list pro-Russian extremist activities, then they certainly should open it. That is part of their job - to remain in touch with these affairs. Chances are it is a hoax or scam, but they should still check. Otherwise it would be like the fire brigade refusing to pick up the emergency calls phone in case it is a hoax.

OTOH, they should open such emails in a sandbox suchas a VM, preferably in a non-Windows environment. They are professionals - they should be able to handle this sort of thing.

Re:

[Ol Olsoc]

OTOH, they should open such emails in a sandbox suchas a VM, preferably in a non-Windows environment. They are professionals - they should be able to handle this sort of thing.

It is really amazing how many things are not Microsoft's fault.

Re:

[nukenerd]

To be honest, a political organization should not receive such emails directly anyway

NATO; an academic working on Russian issues; - these are not "political organisations" (NATO is a defence organisation). You think they should say to the world "Please send all emails for us via our local security police" ?!

They should know who is sending the information. Knowing and keeping up with the sender is .. important

It might be an anonymous tip-off. In this case it sounds like the emails were posing as just that. Ironic from an anonymous poster LoL!

Re:

[znrt]

OTOH, they should open such emails in a sandbox suchas a VM, preferably in a non-Windows environment. They are professionals - they should be able to handle this sort of thing.

opening that email in a plain text editor would have been enough, and more informative too. even outlook, i vaguely remember, had a "view source" or equivalent option.

allowing html or media to be embedded in email seemed a cool idea but we have never been prepared for it.

otoh, allowing private software to be used in public affairs is just idiotic.

Re:

[cheater512]

You hope they are professionals.

I'm pretty sure this article proves that they are not.

Re:

[benjymouse]

Why?

Microsoft is not a state-owned enterprise, and has no allegiance to any state. It has a responsibility only towards its shareholders, and apparently the business model of selling flawed software is very profitable.

As opposed to doling out flawed software for free?

Re:

[SargentDU]

Or non-flawed software for free too. :)

Re:

[sjames]

MS has been convicted of felonies all over the world multiple times. If MS was an individual, they would be serving a mandatory life sentence somewhere on a third strike.

Read here for a more detailed perspective

[Anonymous Coward]

Read here for a more detailed perspective
http://www.isightpartners.com/2014/10/cve-2014-4114/

Re:Read here for a more detailed perspective

[fgrieu]

In addition to isight's blog [isightpartners.com]
there's an article in Wired [wired.com]

Re:

[Aryeh Goretsky]

Hello,

The first public analysis of the malware campaign (called BlackEnergy by most researchers) was done by Arbor Networks [arbornetworks.com] back in October 2007, and Dell SecureWorks [secureworks.com] did a comprehensive write-up on its second generation in 2010. Additional information on this malware campaign:

• We Live Security blog - Back in BlackEnergy: 2014 Targeted Attacks in Ukraine and Poland [welivesecurity.com]
• 2014 Virus Bulletin Conference - Last-minute paper: Back in BlackEnergy: 2014 targeted attacks in the Ukraine and Poland [virusbtn.com] and YouTube video [youtube.com] of

Sensationalize much?

[palemantle]

1 - ISight claims this has been a five year campaign and then add that "hackers began only in August to exploit a vulnerability found in most versions of Windows". So where did the "five year" timeline come from?

2 - "Russian hackers target NATO, Ukraine and others" the article screams and then we find this wishy washy explanation from ISight's John Hullquist on his claim about the hackers being Russian:
"Your targets almost certainly have to do with your interests. We see strong ties to Russian origins here".

Sounds like a bunch of FUD to me

Re:

[operator_error]

So where did the "five year" timeline come from?

From TFA

iSight is not the first to spot the attackers in the wild. Other security firms, including F-Secure in Finland, have uncovered victims over the years. But iSight was able to tie various attacks together to expose commonalities in the five-year campaign. It was encoded references to Dune—which appear in URLs for the attackers’ command-and-control servers—that helped tie some of the attacks together. The URLs include base64 strings that

Re:Sensationalize much?

[benjymouse]

1 - ISight claims this has been a five year campaign and then add that "hackers began only in August to exploit a vulnerability found in most versions of Windows". So where did the "five year" timeline come from?

2 - "Russian hackers target NATO, Ukraine and others" the article screams and then we find this wishy washy explanation from ISight's John Hullquist on his claim about the hackers being Russian:

Sounds like a bunch of FUD to me

While I suspect that ISight (like all "security research" companies) deliberately stirs the pot (it helps generate awareness of their products), they do not actually claim that the specific vulnerability has been used for 5 years.

One could imagine that the "Sandworm" operation has been ongoing for 5 years. If they continually and persistently try to infiltrate NATO and other organizations they will probably use whatever opportunity presents itself. They actually also try to exploit vulnerabilities that have long been patched, hoping to hit an unpatched machine.

So while they do try to sensationalize, it is conceivable that the hacker group is older than just the most recently used vulnerability.

read moar

[Gravis Zero]

1) "So where did the "five year" timeline come from?"

Some Sandworm attacks also use five older vulnerabilities that have already been patched. The exploits are used to install various versions of BlackEnergy, a malicious tool used by cybercriminals. The tool gained notoriety in 2008 when botnets infected with the malware were used to launch denial-of-service attacks against systems in Georgia during a standoff between that country and Russia.

2) "wishy washy explanation from ISight's John Hullquist on his claim about the hackers being Russian"

Hulquist said he believed they were supported by a nation state because they were engaging in espionage, not cyber crime.

crime can be anyone, espionage is reserved for a very select set of parties. it's a mere matter of deduction but feel free to believe what you wish, just stop posting it.

@AC (#48138981) - Re:Not unexpected....

[nukenerd]

Bill [Gates] also said 640k should be enough memory for anyone (I have the audio recording!)

Really? Please could you give a link to that. People have argued over and over whether he really said that. He denies it himself, so it would be very interesting if a recording exists and can be made public.

Re:

[vistapwns]

Don't hold your breath. This guy knows he does not have an audio recording, I have googled high and low, and all you can find is the quote, which Bill Gates denies. Furthermore, MS was never in a position to dictate the memory on the system, that was decided by IBM who decided to use a 16-bit intel chip which is inherently restricted to 1024KB (640K for programs, 384K for VRAM and BIOS functions). It's merely propaganda, blaming IBM isn't Politically correct since they are now linux backers.

People must be blind

[buckfeta2014]

User clicks on a malicious PPT file, which installs a backdoor. Don't people check task manager for unscrupulous executables running on their systems?

Re:

[Anonymous Coward]

well some malware has the ability to hide from task manager.
couple this with the fact that the average user will have something like 100 processes running on boot up, they won't trim down unnecessary stuff.
And has no idea what most of them are.

I am of the opinion MS needs to make the above process simpler by trimming down the number of processes that run by default. Obviously keep separate things that do need to run in different security contexts, but there are way too many processes that run by default.

Re:

[AqD]

They can be hidden by 1) obtaining the administrator privilege and thus modifying process list in kernel, or 2) removing a line from the process table/list of Task Manager UI of the current user. It's part of centralized GUI / automation feature on Windows - also theoretically doable on X-window but nearly impossible due to massive use of lightweight widgets which are painted on the main window like it's a canvas (might have to do OCR on bitmaps...)

1) is even easier on Linux if malware is run on root permis

Re:

[Ol Olsoc]

User clicks on a malicious PPT file, which installs a backdoor. Don't people check task manager for unscrupulous executables running on their systems?

I'm envisioning a CEO at the big yearly meeting checking for "unscrupulous executables" when he starts his PowerPoint presentation.

This is the problem with you apologists. You have all of these excuses for Microsoft's flaws, and all of your "I can't believe that you didn't (insert really unlikely geek action performed by normal user here) , so it's all your fault."

If almost everyone is too stupid to use Microsoft OS, despite normal or high intelligence, maybe it really isn't their problem.

I wonder how long the NSA

[wiredog]

has had this one on the shelf, without disclosing it?

Re:I wonder how long the NSA

[TheRaven64]

That's the real question. And again, the NSA needs to answer the following question:

Were they sufficiently technically incompetent that they didn't discover an attack that the Russians have been using, or were they sufficiently inept in a more general intelligence sense that they didn't realise that leaving US and allied machines vulnerable might be a problem?

Re:

[sasparillascott]

Since Microsoft added the vulnerability at the request of the NSA, the NSA thought it was secret and only they new about it. /s

Re:I wonder how long the NSA

[skgrey]

If they did have the exploit (and they probably did) the issue is visibility - they know they have this exploit, and probably a lot more, that can be used to easily get access to a system. How do you only patch "friendly" computers? Alerting Microsoft that this issue exists means that they will push out the patch to everyone, they simply aren't going to write patches for "friendly" computers. There allegiance is to the market, not to the country.

That's probably the big problem the NSA has in general - they have all these great exploits, but others could have them as well. They are the method for being able to do some of the critical things they need to do to get access, especially abroad, but the second they disclose they potentially lose their ability to utilize them. It becomes a spy race at that point - get as much important data as you can while hoping the "bad guys" aren't doing the same or are slower at it.

I wonder if the NSA ever feels a little guilty, knowing they have these exploits and could get them patched, and ultimately one of the could be used to do something very, very bad.

Re:I wonder how long the NSA

[king neckbeard]

Since the security of Microsoft systems became a significant factor in national security. Perhaps they could shift their efforts of illegally tipping off DEA agents into security audits of software vital to our infrastructure, since that would actually protect the security of the nation.

Governments

[ruir]

Using foreign proprietary technology and using in particular Windows are retarded. What are they really expecting?

Re:

[ruir]

What "low hanging fruit"? A system defective by design, and sold by a firm in bed with the USA government, setup by a family influential in washington, and that were already supposedly caught with a NSA entry key in their binary code? Sold by a country known by corporate and state espionage? Humor me, why I am not surprised? The only winning move is NOT to use it. The chinese are (were?) doing it right designing their own processors and building their own linux distros. At least someone who knows what is do

Re:

[BronsCon]

I'll take those two OpenSSL and Bash vulnerabilities any day! That's an important distinction, and not making it lulls anyone using OpenSSL or Bash on a non-Linux system into a false sense of security and may prevent them from patching. That's either a good or bad thing, depending entirely on the color of your hat.

Yes, Heartbleed and Shellshock both had the potential to be much, much worst than this bug. However, those were only exploited after being found and disclosed, and patches being made available,

Re:

[WaffleMonster]

I'll take those two OpenSSL and Bash vulnerabilities any day! That's an important distinction, and not making it lulls anyone using OpenSSL or Bash on a non-Linux system into a false sense of security and may prevent them from patching. That's either a good or bad thing, depending entirely on the color of your hat.

Yes, Heartbleed and Shellshock both had the potential to be much, much worst than this bug. However, those were only exploited after being found and disclosed, and patches being made available, while this and other Windows flaws are only patched after being found, disclosed, and exploited for a while. Where there were patches issued for Heartbleed and Shellshock within hours of disclosure, this won't be patched until Patch Tuesday. Mind you, that's today, but it's still coming not only days after the disclosure, but months after active exploits.

What is the point? For starters none of us have any idea who all has a stock of what 0-days for any platform.

Secondly CVE databases are loaded to the hilt with windows and Linux vulns.

Distinctions made are about as useful as an intelligence contest for the mentally retarded. Unsurprisingly everyone is failing ... badly.

Re:

[BronsCon]

The point is that failure to make the distinction between a bug only affecting Linux and a bug affecting a library or application (such as a shell) that can run on any arbitrary platform usually means that only Linux users of that library or application end up taking immediate action to correct the issue, leaving users of the library or application on other platforms vulnerable until the next time they apply system patches for another issue. In some cases it's a difference of days, in others it's weeks, mon

Re:

[WaffleMonster]

it's about keeping people informed so they can act appropriately. Imagine yourself a FreeBSD user; if you heard of Heartbleed as a Linux bug, would you think to look for an OpenSSL patch?

If your idea of being notified is hearing about it on CNN, ./, other "media" or social propagation your doomed.

Users should not be expected to know what supporting libraries are used by applications. Application vendors need to provide patches and make announcements for service effecting vulnerabilities in supporting libraries distributed with their applications no different than if source of error were their own code.

Operating system/package vendors need to provide patches and make announcements for vuln

Re:

[BronsCon]

While I don't disagree with the point you are making in this post, I think you're greatly missing *my* point. As an informed user and sysadmin, I keep an eye on current CVEs use that information to know when to expect new patches, which allows me begin testing and applying them long before media or social circles pick up the information and, often, some time before vendor notifications or any automated update processes. Most sysadmins, and nearly all users, aren't as attentive and they do rely on media and

Re:

[BronsCon]

I'll start with your last comment first. Your files, online and off, may have never been modified or deleted by someone other than yourself but that doesn't mean they haven't been hacked. A good hack leaves no trace and an expert hacker would copy your files without altering them.

Everything else you say... well... It's true that Linux often lags in support for the newest video and graphics cards, and some cheap shit scanners that only ship with binary blob drivers (I've experienced this and Linux was doin

Re:

[BronsCon]

So, you're saying that just because something you don't believe happens (alien anal probes, which I won't argue) leaves no trace, that something else that leaves no trace also doesn't happen? I'm not sure you fully understand logic, but I digress.

You're approaching me as though you assume I'm a Linux user. Well, you're half right; my desktop of choice, at the moment, is OS X, I and maintain a couple of Windows boxes, but my servers all run Linux. I have to agree, KDE4 is garbage, but I loved KDE3 when I u

Re:Anyone using Windows deserves it

[Cabriel]

If one uses Windows he deserves what he gets!

Ok. I'll bite.

- Hours, days, weeks of waisted time in Installations configurations and updates.

My system installs configuration updates at night or in the background and only reboots when I'm not using it, so no wasted time.

- Bad style, and ugliness

Subjective. I quite like the style and presentation of Windows all the way through Windowss 8.1 although Metro apps are a slight nuisance, but I've never used any open source tool that has better style than its Windows-equivalent, including Apache/Libre/Open Office, The GIMP, Firefox, nor anything made by Google (and if you try to claim Google Docs is somehow better than MSOffice, I guess everyone will now how full of shit you are).

- Slowness and retarded technology

Well, slowness is measurable, but as with your first false claim, it doesn't impact me in meaningful ways. "retarded" technology, however, is subjective and also not something someone should try to hold against MS given how many terrible, terrible OS tools exist.

- Limited devices and architecture support

Really? Really? OK. I'm done here.

NATO & Windows

[__keronin]

holy shit ! NATO uses Windows ??

Oral phase

[Anonymous Coward]

Seems our computer (users) are in their oral phase: stick everything you find on the street in your mouth.

"I want everything to happen automagically when I stuff a random $USB_DEVICE in my box"

"I want everything to happen automagically when I open some $RANDOM_DOCUMENT I found on the intratubes"

"I want any $RANDOM_APP linked from some $MORE_RANDOM_WEBSITE to be automagically installed in my browser (which I also use for banking, ferchrissake) and to take over my life from then on"

Well, duh.

Now, don't take m

Re:

[BronsCon]

If you see a huge flashing "It's a trap!" sign hanging over a big red button labeled "Push Me", and oyu push the button anyway, it's not really victim blaming to blame you for whatever happens next. Just sayin'. When you see the same people get owned the same way, over and over, and you explain to them how it happened, why what they did exposed them to the attack, and what they should do instead, and they come back to you a week later having done the same thing, with the same results, so you explain it agai

Re:

[BronsCon]

Well, yes, the way in which I was right was the context of user education, which is the topic of the post to which I was replying. My point was that user education only works for users willing to be educated, and those users, by and far, don't need to be taught, because, like you and me, they've already taken the time to learn. In short, anyone who has these problems repeatedly has not only refused to ask how to prevent them, they've also refused to listen when told.

oh you naive people.

[Anonymous Coward]

It its not a 'Flaw' its a feature.

One way street?

[rastos1]

... a bug in Microsoft's Windows operating system has allowed hackers located in Russia to spy on computers used by NATO, Ukraine, the European Union, and others

Did the bug somehow prevent NATO, Ukraine, EU and others from spying on Russia?

Security

[Anonymous Coward]

Put your computers in a locked room.

Do not attach your computers to an external network.

If you don't trust your employers, don't attach your computers to any network.

Lock the door to the computer room and allow no one but trusted individuals entry.

Lock the door.

We knew this in 1975 when I worked at Burroughs. We knew this in 1973 when I was in charge of changing the paper tapes used for batch printing. Why don't we seem to know this today?

No mention of Kaspersky link to FSB

[Anonymous Coward]

Article fails to mention that Kaspersky anti-virus maker themselves has been linked to Russian state security services and computers using Kaspersky may contain back doors accessible to FSB.

and?

[SuperDre]

What's the news about this? It's not like the US hasn't used the same leaks, or any other country...

Zero-day? Really?

[Retron]

Blimey, get with the times!

22 years ago at school we were all using Object Packager in Windows 3.1 to smuggle in arbitary EXEs - long before any of this current hoo-ha erupted. Of course, we were more concerned with smuggling in games rather than using it for spying...

The only surprising thing is that it's taken them over 22 years to realise that yes, allowing random EXEs to be packaged up isn't really a good idea!

Bug or feature?

[eric_harris_76]

An undocumented ability to spy on NATO countries? Sounds to me like a feature, not a bug.

Correction: spy back on NATO countries. I'm living in one of the snoopiest.