An infamous Russian hacker group is hijacking mail servers

A new NSA report reveals that Russian hackers have gained power over email systems

Published May 30, 2020 3:54PM (EDT)

Typing code on a laptop computer (Getty Images)
Typing code on a laptop computer (Getty Images)

A new report from the US National Security Agency reveals that a group of Russian hackers associated with that government's military-intelligence agency, GRU, has been exploiting a technical vulnerability to hack into American computers.

In a Thursday advisory, the National Security Agency (NSA) wrote that "Russian cyber actors from the GRU Main Center for Special Technologies, field post number 74455, have been exploiting a vulnerability in Exim Mail Transfer Agent software since at least August 2019. The cyber actors responsible for this malicious cyber program are known publicly as Sandworm team."

Exim is used by Unix systems connected to the Internet. According to the NSA, "an unauthenticated remote attacker can send a specially crafted email to execute commands with root privileges allowing the attacker to install programs, modify data, and create new accounts" by exploiting a critical vulnerability in Exim. The bug makes it possible for hackers to send specially crafted emails that install new programs, modify data, and in other ways tamper with the computers that have been infected.

More sobering than this is the identity of the hackers: Sandworm is widely considered one of the most notorious hacker groups in the world.

"It's thought that they were behind the BlackEnergy malware attacks in 2015 and 2016 that used a multi-pronged campaign to cause power outages in Ukraine – both times in the winter," Lindsay Gorman, a Fellow for Emerging Technologies at the Alliance for Securing Democracy, told Salon by email. "A spearphishing campaign penetrated the IT systems of Ukranian power distribution companies, seized control of them, and then used distributed denial of service attacks to prevent information on the outages from being sent out.

Gorman also noted that Sandworm is taking advantage of a vulnerability that has been around for a long time.

"The interesting thing is that the vulnerability being exploited here is not new," she explained. "It was previously discovered and a patch was already issued back in June. The advisory coming now could be serving an awareness-raising function, indicating that not all systems have actually downloaded and run the patch. This a reminder that cyber vigilance is not only about discovering exploits, but having robust systems in place to patch networks across an entire business or government enterprise. Cybersecurity is a complex ecosystem with many moving parts — finding the bug is only half the battle."

Ever since the 2016 presidential election, the specter of Russian hacking has cast a shadow over American political life. Many Americans believe that Russian hacking on behalf of Donald Trump cost Hillary Clinton the presidency in the 2016 election, and intelligence agencies have repeatedly characterized Russian hacking as a major national security threat. In an interview last year with Michael McFaul, the former US ambassador to Russia, the diplomat told Salon that Russia's attempts at meddling in the American presidential election were unprecedented.

"Even during the Cold War, we'd never seen the Soviets try to do that," McFaul told Salon. "What impresses me in two ways is one, just how extensive it was. It's on social media. It's hacking, stealing data from the Democratic Party and publishing it. It's sending representatives and emissaries to go meet with the Trump family and the Trump Organization to offer up compromising material on Clinton, it's discussions about lifting sanctions, and it's just multifaceted on the one hand."

According to Gorman, the Justice Department under Trump has taken some measures to punish GRU for its hacking activities.

"The Justice Department has indicted GRU officers for computer hacking, wire fraud, aggravated identity theft and money laundering in the past in connection with incidents including the 2016 operation," Gorman explained. "And Treasury has sanctioned  Russian individuals and companies for conducting cyber attacks against the US and its allies. Public adversaries like this one also point a finger at Russia for these intrusions and make it clear that the threat has not abated, but the US and its allies continue to be a target for nation state adversaries like Russia."

By Matthew Rozsa

Matthew Rozsa is a staff writer for Salon. He holds an MA in History from Rutgers University-Newark and is ABD in his PhD program in History at Lehigh University. His work has appeared in Mic, Quartz and MSNBC.

MORE FROM Matthew Rozsa

Related Topics ------------------------------------------

Aggregate Exim Hacking Russia Sandworm