Researchers discovered three distinct hacker groups using similar, previously unknown security flaws in Microsoft Office to attack victims.
Two of the groups are previously known suspected Russian espionage teams, and the third group appears to have used the same code to rob banks.
The trio was uncovered by the security firm FireEye.
The hackers took advantage of two flaws in how Microsoft Office handled graphics files using Encapsulated PostScript (.EPS). In each of the attacks, hackers would send an Office file designed to hide malware.
The group APT 28, also known as Fancy Bear and best known for conducting the Democratic National Committee hack, as well as a group targeting Middle Eastern banks, both used the same flaw to launch attacks. Turla, a different suspected Russian hacking group, discovered by Kaspersky Lab in 2014, used a different EPS bug.
FireEye reported that the suspected Russian hacking outfits had attacked political targets in NATO member states.
The APT 28 and Turla attacks used the software vulnerabilities to install malware specific to the two groups. The bank robber group used known financial malware known as Netwire.
All three also needed to take advantage of additional security vulnerabilities to get enough access to install their wares.
In APT 28’s case, they used an additional previously unknown security flaw.
Unknown security flaws can fetch hundreds of thousands of dollars through sales to intelligence agencies. The United States is known to acquire vulnerabilities this way. It appears in this case that the same vendor provided the same vulnerability to APT 28 and the robbery group, as they both appear to have used the same code.
Russian actors including APT 28 are typically known for using phishing to get passwords for a network and installing malware from there, phishing being an effective technique that costs nothing to use. The document trick used through Microsoft Office is out of character — more subtle but more costly.
“Though these actors have relied on credential phishing and macros to carry out operations previously, the use of these methods does not reflect a lack of resources. Rather, the use of less technically sophisticated methods — when sufficient — reflects operational maturity and the foresight to protect costly exploits until they are necessary,” said FireEye analyst Ben Read in a statement.