The United States’ cybersecurity agency is warning about Russian military hackers exploiting a critical software flaw that makes it possible to weaponize email.
“Russian military cyber actors, publicly known as Sandworm Team, have been exploiting a vulnerability in Exim mail transfer agent (MTA) software since at least last August,” the National Security Agency (NSA) said May 28 in a cybersecurity advisory.
Dubbed “the Kremlin’s most dangerous hackers” by author and senior writer at Wired, Andy Greenberg, the Sandworm Team operates as part of Russian military intelligence.
The notorious hacking group is the first cyberattack squad to successfully carry out a strike on critical infrastructure—an electrical grid in Ukraine—leaving around a quarter of a million Ukrainians without power, according to Wired.
The NSA said that the vulnerability in the Exim mail transfer agent, which is a widely used software for Unix-based systems, lets hackers execute any commands or code they like, remotely.
“The Russian actors, part of the General Staff Main Intelligence Directorate’s (GRU) Main Center for Special Technologies (GTsST), have used this exploit to add privileged users, disable network security settings, execute additional scripts for further network exploitation; pretty much any attacker’s dream access,” the NSA said.
Successful attacks, however, depend on networks using an unpatched version of the Exim mail transfer agent.
“When the patch was released last year, Exim urged its users to update to the latest version,” the NSA said, adding that it is now calling on users “to immediately patch to mitigate against this still current threat.”
Sandworm Team, Russian GRU Main Center for Special Technologies actors, continue to exploit Exim mail transfer agent #vulnerability, CVE-2019-10149.
— NSA Cyber (@NSACyber) May 28, 2020
Sandworm Team, which also goes by the name Voodoo Bear and Telebots, has spent years targeting Ukraine, which is effectively at war with Russia.
Besides two successful blackout attacks in 2015 and 2016, the hacker squad has targeted various sectors of Ukrainian society, according to Wired, destroying computers at media companies, deleting data on government servers, and paralyzing infrastructure.
According to Greenberg’s book about Sandworm, as cited by Financial Times, the objective of Sandworm Team’s activities was not only to undermine Ukraine, but to test Russian cyber capability ahead of possible future attacks against more powerful adversaries, such as the United States.
“This has a whiff of August 1945,” Michael Hayden, the former head of the CIA and NSA, is quoted in Greenberg’s book as saying, comparing the new cyberwar initiatives to the deployment of a nuclear bomb in World War II. “Somebody just used a new weapon, and this weapon will not be put back in the box.”