Attackers Are Using Hurricane Sandy to Infiltrate NATO Special Operations Headquarters

By Nofar Gueta | November 20, 2012

Using current events for social engineering scams is nothing new; whenever a major event takes place, attackers find a way to use it. This time, Hurricane Sandy was used to infiltrate NATO’s Special Operations Headquarters.

NATO’s NSHQ, established in 2007, is responsible for developing and coordinating NATO special operations-related activities. Being trusted for such issues, it is not surprising that the organization was being targeted during on October. According to the Trend Micro’s analysis, the attack vector was a common one – an infected, social-engineered email was sent to the organization systems. Attached to that mail, was a DOC file, titled “Did Global Warming Contribute to Hurricane Sandy’s Devastation”. The attachment contained a Trojan identified as “TROJ_ARTIEF.SDY”.

That malware is exploiting CVE-2010-3333, an RTF stack buffer overflow vulnerability, which was patched by Microsoft during 2010. Not only is this not a Zero-Day vulnerability, it was used in the high-profile attacks against Tibetan activist organizations, and was even analyzed by Sophos as a vulnerability that is still being used, 14 months after the advisory was published.

This is another “classic” targeted attack, in which traditional security measures failed to operate (whether technologically or methodically). Cyvera TRAPS successfully prevents exploitation of this vulnerability.