For months this summer, unidentified hackers used a previously unknown hole in Microsoft Corp. MSFT -0.86% ’s Windows operating system to spy on Ukrainian officials and an American academic, according to an investigation by a U.S. cybersecurity company.
Microsoft said it plans to release a patch for the bug Tuesday. But once it is publicized, other hackers could race to exploit the vulnerability before Windows users update their systems, which often doesn’t happen immediately.
The incident underscores the risk to consumers as nations engage in computer espionage by searching for flaws in widely used commercial software. Spy agencies often try to hack very specific targets, but the security holes they exploit can be used by others once they are revealed.
“Every criminal and their brother is going to be trying to exploit this flaw in the next few weeks,” said Christopher Soghoian, principal technologist at the American Civil Liberties Union. For years, Mr. Soghoian has argued that governments put the Internet at risk by using such cyberweapons.
The U.S. government has taken much of that heat following leaks from former National Security Agency contractor Edward Snowden that showed U.S. spies worked to perfect such tools. The new disclosures by pro-Russian hacking illustrate the work done elsewhere.
The bug apparently used against Ukrainian officials could allow an outsider to control a computer running Windows Vista, 7 or 8, the most current version. The hackers deployed it by using malicious PowerPoint documents, said researchers at iSight Partners Inc. who discovered the bug in early September.
On Tuesday, Microsoft expects to patch two other Windows security holes recently exploited in cyberspying campaigns. It isn’t clear who was targeted or behind those attacks, discovered by researchers at FireEye Inc., FEYE +1.79% a Silicon Valley cybersecurity company.
In a statement, Microsoft said it is issuing patches to “help protect customers.”
Vendors release patches continually, but the bugs they fix are rarely linked so explicitly to the work of spies.
Researchers at iSight spotted the Windows flaw as fighting flared in Eastern Ukraine between the Kiev government and pro-Russian secessionists. They said Ukrainian government employees and an American Russian specialist, whom they declined to identify, received the bug this summer in emails that appeared to contain intelligence from Ukraine’s security services on Russian sympathizers.
Once users opened the PowerPoint, the hackers had access to their computers, the iSight researchers said.
Despite the attention given to reports of state-sponsored hacking from China, Iran and Russia, it is challenging to determine the origin or purpose of a cyberattack. Rather, hunches are developed by assessing motives and scraps of digital evidence.
In this case, iSight said it detected several clues that suggested the hackers were working on behalf of the Russian government. At least one of the hackers was fluent in Russian, based on files stored on an unprotected server used by the hackers.
Another clue, said iSight, is the significant time and money needed to find new security holes in complex software such as Windows, suggesting the hackers may have had the resources of a government behind them. Governments can use spy agencies to locate such holes, or buy exploits from elite hackers.
Third, iSight said it had tracked this group of hackers online since late 2013, and found them routinely seeking intelligence from targets of particular interest to Russian national interests. The list of targets includes the North Atlantic Treaty Organization, Polish energy firms and at least one other Western European government, iSight said.
“We cannot say with 100% certainty we’re talking about some guy in a Russian government building,” said Stephen Ward, an iSight spokesman. “But we can say this is cyberespionage, and it’s cyberespionage focused on Russian objectives.”
Representatives for the Russian and Ukrainian embassies in Washington didn’t return requests for comment Monday.
Pro-Russian hackers would hardly be alone in its use of secret security holes, known as 0-day exploits, for espionage. Cyberattacks linked to the Chinese government have relied on holes in Microsoft’s Internet Explorer and the U.S. government has used similar tactics to disable nuclear equipment in Iran, The Wall Street Journal and New York Times NYT -0.08% have reported.
In an April blog post, White House cybersecurity coordinator Michael Daniel said the administration has a “disciplined, rigorous and high-level decision-making process” for determining whether to exploit a security vulnerability in commercial software for espionage purpose.
There is however one unexplained bit, iSight said.
The hackers’ computer code contains numerous obscure references to Dune, the cult science-fiction series known for huge snakelike creatures that roam the desert.
Naturally, iSight has internally dubbed the hacking group, “Sandworm.”