Exposed: Russians Exploited Adobe, Microsoft Flaws to Hack U.S. Gov’t

Following last month’s reports that Russians hacked into U.S. government computer systems, the exact method of the security breach is now being revealed. The breach, which took place last October, caused temporary disruptions in some government services. Several federal agencies are still investigating the breach, but many in the I.T. security community are solidly pointing fingers at Russia.

According to media reports, the hackers gained access to sensitive information such as real-time, non-public details of the U.S. president’s schedule. While such information is not classified, it is still highly sensitive and prized by foreign intelligence agencies.

Now, cybersecrity firm FireEye Labs is getting to the root of the attack. The firm has detected a limited advanced persistent threat (APT) campaign it is calling Operation RussianDoll that exploits zero-day vulnerabilities in Adobe Flash and a previously unknown flaw in Microsoft Windows.

Benefitting the Russian Government

How did FireEye come to this conclusion? The company’s researchers detected a pattern of attacks beginning on April 13 exploiting the two flaws and traced it back to the attacks through the correlation of technical indicators and command and control infrastructure.

Adobe independently patched the vulnerability. Microsoft is aware of the Windows vulnerability. Although there is not yet a patch available for the Windows vulnerability, the good news is the firm reports that updating Adobe Flash to the latest version will render this in-the-wild exploit innocuous. Meanwhile, Microsoft is working on a fix.

FireEye figures APT28 is probably responsible. FireEye reported APT28 last October when the cyber attacks against the US government were first revealed. The report pointed to Russia as the likely perpetrator.

“In contrast with the China-based threat actors that FireEye tracks, APT28 does not appear to conduct widespread intellectual property theft for economic gain. Instead, APT28 focuses on collecting intelligence that would be most useful to a government,” the firm said. “Specifically, FireEye found that since at least 2007, APT28 has been targeting privileged information related to governments, militaries and security organizations that would likely benefit the Russian government.”

Not Surprising

In related news, security intelligence firm Trend Micro is reporting what it calls Operation Pawn Storm ramping up its activities against North Atlantic Treaty Organization (NATO) nations and even the White House.

“Pawn Storm targeted mainly military, government and media organizations in the United States and its allies,” the Trend Micro report reads. “We determined that the group also aimed its attacks on Russian dissidents and those opposing the Kremlin, as well as Ukrainian activists and military, which has led some to speculate that there might be a connection with the Russian government.”

It looks more and more like Russia is behind the attacks on the White House computer networks. Ben Rhodes, President Barack Obama’s deputy national security adviser, told CNN’s Wolf Blitzer, that he doesn’t believe classified systems were compromised.

“It is not surprising that Russia has been identified as being the perpetrator in last year’s attack on U.S. government assets,” said John Gunn, Vice President of Data Security at authentication company Vasco. “You can be certain that the superpowers are going at each other all of the time. The surprising part is that that they got caught this time.”