The origin of the attacks are unknown, but researchers note they bare resemblance to attacks that would originate not just from criminal operations, but from nation-state actors as well.
The attacks took advantage of a zero-day vulnerability—a term for an unknown security flaw that has yet to be fixed—that was found in Microsoft Office. The since-fixed exploit allowed hackers to remotely install malware by sending the victim a fake Word document that concealed the malicious program.
The attack was able to bypass many of the mitigation systems built into Microsoft Office and Windows designed to stop malicious files from executing. In a test of the attack conducted by security firm Proofpoint, it was discovered the exploit only required a user to attempt to open the document. Once Microsoft Office launched to attempt to read the file, it would be infected.
In the case of the apparent government-backed hackers, they targeted Russian victims by sending a number of phony documents including military manual written in Russian, a document referencing a Russian Ministry of Defense decree, and—according to a report from Motherboard —a document listing the "top 7 hot hacker chicks."
Those phony documents arrived with a piece of spyware known as FinSpy, which is produced by German-based surveillance firm Gamma Group. The company primarily sells to nation-state hackers who use the malicious software for espionage.
Attacks using FinSpy date back to as early as Jan. 27 and appeared active as last as March, meaning the Microsoft Word vulnerability was exploited for months before it was eventually patched.
At the same time apparent government-backed attackers were taking advantage of the exploit, so too were criminal hackers. According to FireEye, attackers leveraging a piece of malware known as LATENTBOT used the same vulnerability in Microsoft Word to swipe user credentials, and were likely financially motivated.
Once the zero-day was disclosed last week by McAfee, it was targeted as part of a spam campaign that sent fake Microsoft Word documents to users in attempts to get them to open the file. If opened, a piece of malware known as Dridex would be installed on the user’s machine. Dridex is often used to steal banking credentials.
The zero-day vulnerability has been patched by Microsoft, though requires an update to install the fix. Those without the patch remain susceptible to attacks.