A group of cyber spies targeted the North Atlantic Treaty Organization (NATO), Ukrainian and Polish government agencies, and a variety of sensitive European industries over the last year, in some cases using a previously unknown flaw in Windows systems to infiltrate targets, according to a research report released on Tuesday.

Dubbed "Sandworm" by iSIGHT Partners, the security consultancy that discovered the zero-day attack, the campaign is suspected to be Russian in origin based on technical details, the malware tools used, and the chosen targets, which also included government agencies in Europe and academics in the United States. If confirmed, the attack is an uncommon look into Russia's cyber-espionage capabilities.

"We can confirm that NATO was hit; we know from several sources that multiple organizations in the Ukraine were targeted," said John Hultquist, senior manager of cyber-espionage threat intelligence for iSIGHT. "We have seen them using Ukrainian infrastructure as part of their attacks."

The Sandworm Team, named because its members include references from Frank Herbert's Dune series in their code, also used a previously unknown software flaw to compromise some targets. Using the security hole, the Sandworm group could execute their attacks on systems running up-to-date versions of Windows Vista, Windows 7, Windows 8, and Windows RT. Microsoft plans to release a patch for the flaw during its regular updates on Tuesday.

"The power of the exploit is pretty substantial," Hultquist said. "From talking to some people over here, they have had a hard time writing signatures for it, and the attack does not crash anything. It's subtle."

Ironically, Windows XP, which Microsoft for the most part no longer supports, is not vulnerable to the attack.

This is not the first time that details of the espionage group's activities have been reported. The group landed in the news in September, when pieces of the operation were described by antivirus firms F-Secure and ESET. Those companies discovered that a relatively well-known spam and bank-fraud tool, known as Black Energy, had been used by the attackers to compromise systems and steal data.

"We have observed over a hundred individual victims of these campaigns during our monitoring of the botnets," Robert Lipovsky stated in ESET's initial analysis of the campaign in September. "Approximately half of these victims are situated in Ukraine and half in Poland, and they include a number of state organizations, various businesses, as well as targets which we were unable to identify."

Originally created seven years ago as a denial-of-service tool, Black Energy became a popular attack tool for Russian and Eastern European cyber-criminals. The program is not the first to be repurposed for cyber-espionage. An up-and-coming banking trojan named Dyre has become popular as a tool for espionage.

The antivirus firms' original analysis did not find signs of the 0day exploit, according to iSIGHT Partners, which discovered the issue in August and worked with Microsoft to identify the vulnerability.

The attackers made use of a variety of software flaws in addition to the 0day exploit, in some cases chaining together attacks on two vulnerabilities to gain the necessary privileges to run code on the targeted system—an increasingly common practice, iSIGHT said.

The security consultancy tracks at least five apparent Russian groups that focus on cyber espionage.

The Sandworm Team targeted NATO as far back as December 2013, while attendees to a global security conference were targeted in May of 2014. In June, a Polish energy firm, a French telecommunications firm, and other critical industries were targeted.

Listing image by Courtesy of iSIGHT Partners