the sandworm attack collects your certificates to become a trusted hacker in your network

"Although iSight only has a small view of the number of victims targeted in the campaign, the victims include among others, the North Atlantic Treaty Organization, Ukrainian and European Union governments, energy and telecommunications firms, defense companies, as well as at least one academic in the US who was singled out for his focus on Ukrainian issues. The attackers also targeted attendees of this year’s GlobSec conference, a high-level national security gathering that attracts foreign ministers and other top leaders from Europe and elsewhere each year.


It appears Sandworm is focused on nabbing documents and emails containing intelligence and diplomatic information about Ukraine, Russia and other topics of importance in the region. But it also attempts to steal SSL keys and code-signing certificates, which iSight says the attackers probably use to further their campaign and breach other systems.

and we are not talking about some spammers or scriptkiddies these are targeted attacks against high value targets so you can not suppose that they are not going to do this, why wouldn't they if this was their main purpose of the attack, having access to the confidential and secret information that they were after in the first place

with or without a certificate

it makes it also much easier to infect other systems because your malware code is authentificated with a stolen certificate (and code seldom is signed by external institutions and it is seldom that you can see somewhere where it is installed and used)

some other interesting information

* the virus-attacker is known since 2008

* it uses some process in powerpoint, so this is the entree point for the virus (some powerpoint files extremely popular with decisionmakers)

* it wouldn't surprise me if the targeted western european government that is mentioned vaguely is Belgium because the European Union and NATO are also targeted so why shouldn't you attack also the government that is on the same networks ?

* it is also interesting to note that they are talking about several European telecommunication firms ....


The comments are closed.