Microsoft to block Windows flaw used by Russian hackers
SAN FRANCISCO — Microsoft says it will release a patch next week to address vulnerabilities in its Windows operating system exploited by a group reportedly tied to the Russian government and linked to the theft of emails from the Democratic National Committee.
The group, called Strontium by Microsoft but Fancy Bear or APT 28 by other security researchers, has been tied to Russian state-sponsored hacking.
U.S. government intelligence agencies have said Russian groups were behind attempts to interfere with this year's U.S. presidential election.
U.S. formally points finger at Russians over hacking
Strontium has targeted government agencies, diplomatic institutions, military organizations, plus defense contractors and public policy research institutes, Microsoft's executive vice president of Windows and devices group Terry Myerson said in a blog post on Wednesday.
"Strontium frequently uses compromised e-mail accounts from one victim to send malicious e-mails to a second victim and will persistently pursue specific targets for months until they are successful in compromising the victims’ computer," said Myerson.
Myerson did not directly link Strontium to Russia, only that it has been used "to target a specific set of customers."
Strontium is Fancy Bear
However, according to CrowdStrike, an Irvine, Calif.-based computer security company that published a detailed analysis of the attack on the Democratic National Committee intrusion in June, Strontium is simply another name for the group called Fancy Bear, a Russian intelligence-affiliated adversary.
The exploits used by Strontium involve versions of Windows going back to Vista as well as Adobe's Flash, according to Myserson. Microsoft says the group launched a campaign involving spear phishing, where users will receive a malicious email disguised as a message from a friendly individual or business. If successful, hackers using the exploits could gain access to a victim's computer. A patch is expected by November 8.
"Patches for all versions of Windows are now being tested by many industry participants," said Myerson.
The patch doesn't mean that Strontium will no longer be able to launch attacks, merely that it will need to find new vulnerabilities. FancyBear/Strontium has a history of using so-called “zero day vulnerabilities.” That means security holes in software that are unknown and therefore have not been patched, ones companies do not realize they must protect against.
“At this point, they’ve probably got others that they could deploy if they’ve got a target that’s sufficiently important,” said Adam Meyers, vice president of intelligence at Crowdstrike.
Google's disclosure: 'disappointing'
The exploits were first discovered by Google's Threat Analysis Group, and shared publicly on Monday. Myerson called Google's decision to share details of the vulnerabilities "disappointing," adding it puts customers at risk.
"We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure," said Myerson.
In Google's statement detailing the exploit, threat analysis group members Neel Mehta and Billy Leonard say they first reported the vulnerabilities privately on October 21. Google says Adobe addressed the exploit five days later.
"After 7 days, per our published policy for actively exploited critical vulnerabilities, we are today disclosing the existence of a remaining critical vulnerability in Windows for which no advisory or fix has yet been released," says Mehta and Leonard. "This vulnerability is particularly serious because we know it is being actively exploited."
Follow Brett Molina on Twitter: @brettmolina23.
Elizabeth Weise covers technology and cybersecurity for USA TODAY. Follow her at@eweise.