Microsoft has identified a Russia-linked hacker group's involvement in the zero-day attacks. The hacker group Strontium, which is also known as APT28 and Fancy Bear among others, is the same entity believed to be responsible for the controversial DNC (Democratic National Committee) hack. Microsoft said that Strontium was conducting "low-volume" spear phishing campaigns to target Windows users.
The company revealed that the hacker group leveraged two zero-day vulnerabilities, which were recently exposed by Google, in Adobe Flash and down-level Windows kernel to "target a specific set of customers". Microsoft, however, refrained from mentioning the identities of the victims targeted by the attack.
A zero-day vulnerability is a publicly disclosed security flaw that was not known before and for which the software maker is yet to release a patch.
"STRONTIUM is an activity group that usually targets government agencies, diplomatic institutions, and military organizations, as well as affiliated private sector organizations such as defense contractors and public policy research institutes. Microsoft has attributed more 0-day exploits to STRONTIUM than any other tracked group in 2016. STRONTIUM frequently uses compromised e-mail accounts from one victim to send malicious e-mails to a second victim and will persistently pursue specific targets for months until they are successful in compromising the victims' computer. Once inside, STRONTIUM moves laterally throughout the victim network, entrenches itself as deeply as possible to guarantee persistent access, and steals sensitive information," Microsoft said in an advisory.
Several cybersecurity researchers previously tied Fancy Bear to the Kremlin and the DNC hack. Experts were of the opinion that the group was linked to the breach of the Olympic drug testing agency Wada and also targeted journalists investigating the MH17 crash.
Terry Myerson, executive vice president of Microsoft's Windows and Devices, urged users to upgrade to Windows 10 to ensure that they are protected from such advanced threats. He also noted that those using Windows 10 with Windows Defender Advanced Threat Detection (ATP) are already protected against such threats as it "will detect STRONTIUM's attempted attacks thanks to ATP's generic behavior detection analytics and up-to-date threat intelligence."
Although Myerson thanked Google's Threat Analysis Group for their assistance, he expressed "disappointment" at Google's decision to make the exploits public before patches were made available. "We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure. Google's decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk," he said.
Microsoft said that it was collaborating with Google and Adobe to investigate the attacks and to come up with patches for down-level Windows versions. The firm has vowed to publicly release patches for all Windows versions in their upcoming security update on 8 November.