Hackers exploited a hole in Microsoft Word while Vole effectively tried to get more detail on the flaw.
The flaw, CVE-2017-0199, was dangerous but not difficult to fix but allowed a hacker to seize control of a personal computer with little trace. After nine months, it was fixed in Microsoft’s last regular monthly security update.
While Vole “investigated”, Hackers found the flaw and manipulated the software to spy on unknown Russian speakers, possibly in Ukraine. It was also used by a group of thieves used it to bolster their efforts to steal from millions of online bank accounts in Australia and other countries.
Last July, Ryan Hanson found a weakness in the way that Microsoft Word processes documents from another format. That allowed him to insert a link to a malicious program that would take control of a computer. He told Microsoft in October after working out that the vulnerability could be mixed with something which made it even nastier.
Microsoft could have fixed the problem – all it took was a quick change in the settings on Word, but if it notified customers about the bug and the recommended changes, it would also be telling hackers about how to break in. It could have patched the flaw but it thought it would be better to “dig deeper”, since no one was using Hanson’s method, and it wanted to be sure it had a comprehensive solution.
Microsoft performed an investigation to identify other potentially similar methods and ensure that our fix addresses more than just the issue reported.
It was complex – a little too complex. Because while Vole was going deeper the unknown hackers initially found Hanson’s bug and started using it.
The first known victims were sent emails enticing them to click on a link to documents in Russian about military issues in Russia and areas held by Russian-backed rebels in eastern Ukraine, researchers said. Their computers were infected with eavesdropping software made by Gamma Group, a private company that sells to agencies of many governments.
It appears that one of Gamma’s customers was trying to get inside the computers of soldiers or political figures in Ukraine or Russia, either of those countries, or any of their neighbours or allies, could have been responsible. Such government espionage is routine.
In March, security researchers at FireEye noticed that a notorious piece of financial hacking software known as Latenbot was being distributed using the same Microsoft bug.
FireEye probed further, found the earlier Russian-language attacks, and warned Microsoft. The company, which confirmed it was first warned of active attacks in March, got on track for an April 11 patch.
McAfee saw some attacks using the Microsoft Word flaw on April 6. It established that the flaw had not been patched, contacted Microsoft, and then blogged about its discovery on April 7. McAfee Vice President Vincent Weafer admitted that leaking the information was “a glitch in our communications with our partner Microsoft”.
The blog post contained enough detail that other hackers could mimic the attacks.
By April the 9th, a program to exploit the flaw was on sale on underground markets for criminal hackers.
Finally, on Tuesday, about six months after hearing from Hanson, Microsoft made the patch available.
It is unclear how many people were ultimately infected or how much money was stolen.
