How Russian hackers used Microsoft PowerPoint files to hack NATO computers

Staff Writer

How Russian hackers used PowerPoint files to hack NATO computers

The ‘Patch Tuesday’ fixes included a patch for a vulnerability that a Russian Hacker team was using to target NATO. These attacks target high-profile organizations so you don’t have much of a reason to be worried (but please update!). So, no need to panic, this is just an interesting scenario that sheds some light on how computers can be compromised.

The Russian team is called ‘Sandstorm Team’ and has been targeting organizations in Russia, the European Union, and United States since 2009. This attack used malicious PowerPoint documents. The Sandstorm Team crafted these PowerPoint files to install a malware called ‘Black Energy’ when opened. The malware installed is ‘bot-based’ and uses a plugin architecture that can be used for Distributed Denial of Service (DDoS) attacks, credential theft, or spam.

Then, in a ‘spear-fishing’ attack, they sent these files to the employees of NATO and different telecom and energy companies. A ‘spear-fishing’ attack is when the attacker pretends to be a trustworthy source to trick the victim into opening malicious files, in this case, PowerPoint files which installed malware.

PowerPoint 2013

Normally, you don’t want to run exe files that you don’t trust as they execute unrestricted code. But a PowerPoint file should just open a PowerPoint, so it’s safe, right? Wrong. You should never open files that are from questionable sources. This particular attack used a vulnerability in OLE that allowed the attacker to execute any command, which was used to install the malware through the mere opening of the PowerPoint file.

OLE stands for Object Linking and Embedding, and is used in cases such as linking an Excel report in a PowerPoint document. This way, when the Excel report is updated, so is the data that shows up in the PowerPoint. It is a very useful feature, but the attackers found a vulnerability that lets them use it to install malware. This vulnerability in the OLE has now been patched.

This was a ‘zero-day,’ which are attacks where the attacker finds a vulnerability first and be able to exploit it before anyone has any knowledge about it, let alone has a chance to fix it. These types of attacks happen all the time, and the only way to fix one is to detect the malware exploiting it and then patch the vulnerability. To help ensure the safety of your own system, don’t click on anything you don’t trust, and install updates as soon as possible.