Researchers at the Microsoft Malware Protection Center have observed a hacking team that they call Strontium aiming zero-day attacks at servers in governments, military forces and diplomatic organizations within members of NATO, journalists and political advisors as well as some governments within Eastern Europe, according to a Microsoft blog post.
The group, which has been around since 2007 but has more recently ramped up its efforts, appears to study its targets, using social media and email lists to root out people through whom they can, often through social engineering—more specifically spear phishing, gain access to targeted servers.
“This phishing attempt is used to gather information about potential high-value targets and steal their login credentials,” the post said.
And a Microsoft Security Intelligence Report (SIR) said that “STRONTIUM casts a wide net with its reconnaissance activities, seeking login credentials for email and other systems from a large number of people, which it then weeds through to assess its value.”
The SIR noted that Strontium likely “used its spear phishing attacks to target several thousand individuals during the first half of 2015” and while “not choosy with its targets, it is persistent.”
The phishing emails send recipients to a malicious website and most often request that potential victims change a password. The domains that the emails come from have addresses that closely resemble legitimate domains. “Visiting [a] malicious website can also send sensitive information to the attacker, even when no credentials are entered,” the post noted. “The sensitive information can include details of the victim's PC -including its IP address, browser and operating system versions, and any browser add-ons installed. This information can be used to target the individual with software exploits.”
The second phase of the attack involves downloading “malware using software vulnerabilities to further infect the target computers and spread through networks,” according to the blog post.
While clicking on a malicious link in an email installs the malware, Microsoft researchers “have also seen social networks used to spread malicious links,” the blog said. “The highly-targeted emails use current events, such as an upcoming conference, to entice the victim to click a link for ‘additional information.'”
Once the victim clicks the link “a drive-by-download attack is launched using software vulnerabilities.” The researchers noted that attacks often exploit zero day vulnerabilities that have not yet been updated by a software vendor.
Microsoft said organizations can reduce or eliminate the likelihood that systems will be compromised by keeping software up to date and patched, segregating privileges on user accounts, conduct awareness training so that users don't fall prey to attackers and use multi-factor authentication.