National Security Agency exposes tool used by Russian hackers
By WILLIAM TURTON | Bloomberg | Published: May 29, 2020
WASHINGTON (Tribune News Service) — The National Security Agency on Thursday publicly accused an infamous Russian hacking group of exploiting a flaw in software commonly found in Linux computers.
The NSA said it observed hackers from a unit within the GRU, a Russian intelligence agency, using the flaw in order to gain access to computers.
The flaw exists in software called “Exim,” known as a Message Transfer Agent, which helps facilitate the sending of email, according to the agency. The hacking group, known as Sandworm, has been exploiting the flaw since August 2019, the NSA said.
By exposing how the flaw works, the NSA effectively sought to remove a tool from the Russian hacking arsenal.
The announcement marks a subtle escalation between the two intelligence agencies and comes after an executive order issued by President Donald Trump in 2018 that gave the Department of Defense, which includes the NSA, new powers to call out foreign hacking operations and to conduct more of their own.
“An unauthenticated remote attacker can send a specially crafted email to execute commands with root privileges allowing the attacker to install programs, modify data and create new accounts,” the NSA press release said. The agency is urging users and administrators to apply an already released fix for the Exim flaw. The agency didn’t provide any details on which computer systems the Russian hackers had compromised using the flaw.
Sandworm has been linked to devastating hacks in Ukraine, twice shutting down the country’s power grid and other essential services. The group has also been accused by the U.S. as being behind the infamous NotPetya virus, which decimated computer networks at major companies including Merck & Co. Inc., and attacks on the 2018 Winter Olympics.
In February, the U.S. State Department linked Sandworm to the attacks on Georgian government websites and television stations.
Until recently, it was exceedingly rare for the U.S. government to link hacking operations to the intelligence agencies of foreign governments. When it did occur, it was often through formal documents accompanied by extensive evidence, like the Justice Department indictments of five Chinese military hackers in 2014.But as the aggressiveness of those hacking operations has increased, so has the pressure to name the intelligence agencies and even the specific units involved.
In the case of Russia, the GRU’s operations, including the hacking of participants in the 2016 U.S. presidential election, have made it a particular focus of NSA’s efforts over the last four years.