The U.S. National Security Agency (NSA) on May 28 warned government partners and private companies about a Russian hacking operation that it says uses a special intrusion technique to target operating systems often used to manage computer infrastructure.
“This is a vulnerability that is being actively exploited, that’s why we’re bringing this notification out,” said Doug Cress, chief of the cybersecurity collaboration center and directorate at NSA, in an advisory. “We really want…the broader cybersecurity community to take this seriously.”
The notice is part of a series of public reports by the U.S, agency to share actionable cyber defense information.
The NSA said the hacking activity was tied to “Russian military cyber actors, publicly known as Sandworm Team” and are part of Russia’s Main Intelligence Directorate’s (GRU) Main Center for Special Technologies.
The NSA said the hackers have used the special intrusion technique to add privileged users, disable network security settings, and execute code that enables further network exploitation – “pretty much any attacker’s dream access – as long as that network is using an unpatched version of Exim [mail transfer agent].”
Exim mail transfer agent is software widely used on Unix-based operating systems such as Linux but is far less known than commercial alternatives such as Microsoft Exchange. The vulnerability was patched last year, but some users have not updated their systems.
The NSA did not say who the Russian military hackers have targeted, what business sectors had been most affected, or how many organizations were compromised. But senior U.S. intelligence officials have warned in recent months that Kremlin agents are engaged in activities that could threaten the integrity of the November presidential election.
The Sandworm group is the same one that interfered in the 2016 presidential election, stealing and exposing Democratic National Committee emails and breaking into voter registration databases.
It also has been blamed for disruptive cyberattacks against Ukrainian electric production facilities.
Secretary of State Mike Pompeo called out the same GRU unit in February for conducting a cyberattack against the country of Georgia.