The National Security Agency (NSA) has warned of elite Russian military hackers actively exploiting a popular email program to infiltrate computer systems within the United States. The Russian military hacking group, Sandworm Team, operates as part of the Russian General Staff Main Intelligence Directorate’s (GRU) Main Center for Special Technologies. Sandworm has been in operation for more than a decade and has carried out sophisticated cyberattacks against governments, telecommunications, and energy sectors in Ukraine, Poland, the European Union, and NATO. The group was responsible for the NotPetya attacks in 2017, which resulted in the loss of billions of dollars in North America, Europe and Asia. It also carried out large-scale attacks against private websites in the country of Georgia. Sandworm enjoys Russian backing as the state-sanctioned threat actor carrying out Russian cyberwar campaign.
NSA cybersecurity advisory on Russian hackers
The NSA said the Russian hackers had discovered a unique vulnerability to gain access to computer systems by sending a special email to the targeted user. The specially crafted email executes commands with root privileges without alerting the user.
By exploiting the vulnerability CVE-2019-10149 of Exim mail transfer agent (MTA), the Russian hackers can add privileged users, disable network security settings, as well as execute more commands to gain more control of the system. The hijacked system downloads more shell scripts from a server run by Russian hackers, thus giving criminals more access to the core operating system settings, according to the cybersecurity advisory. These actions are possible on any computer running an unpatched version of Exim. Intelligence officials at the NSA Cybersecurity Directorate referred to the vulnerability as “an attacker’s dream access.” Russian hackers working at the GRU military intelligence agency have been conducting the mail hacking campaign since August 2019, according to the NSA cybersecurity advisory.
The Russian hacker group is the best APT actors. They also know how to identify a core vulnerability when they found one, according to Ian Thornton-Trump, CISO at threat intelligence specialist Cyjax. Thornton-Trump says the threat posed by the Exim machines are significant because some may be operating in industrial environments. This environment gives hackers easy access to industrial control systems (ICS) as well as Supervisory Control and Data Acquisition (SCADA). These methods have been used to conduct attacks against energy companies, indicating that Sandworm might have used Exim software for industrial attacks.
The access of US systems by Russian hackers is more significant, especially during the coming elections. Russian hackers were responsible for hacking the DNC and the Hillary campaign allegedly influencing the outcome of the presidential election in 2016. Sandworm was also responsible for hacking election boards in Arizona and Illinois. The latest cybersecurity advisory issued by recently reconstituted NSA Cybersecurity Directorate seeks to forewarn organizations of the possibility of similar incidents taking place during the next polls, and also indicates the current level of preparedness of government agencies to potential Russian meddling in the US elections. Consequently, the cybersecurity agency hopes organizations would seriously consider the cybersecurity advisory and seal loopholes that would grant Russian hackers access to critical systems in the United States.
Apply Exim patch
The NSA cybersecurity advisory directs users to update their Exim software to version 4.93 or later to prevent them from being accessed by Russian hackers. An update of Exim was released soon after the discovery of the vulnerability in June 2019, but some users failed to patch their systems.