Threat Hunting Content: Espionage Campaign by Sandworm Group

Russian state-sponsored cyber espionage unit known for its destructive attacks is actively compromising Exim mail servers via a critical security vulnerability (CVE-2019-10149). At the end of May, the National Security Agency released a Cyber Security Advisory that warned of a campaign linked to Sandworm Group. The group is best known for its BlackEnergy campaign, the Industroyer attack on the Ukrainian power grid, and NotPetya’s outbreak, one of the most devastating cyberattacks in history.

The Sandworm group attacks victims using Exim software on their public facing MTAs by sending a command in the “MAIL FROM” field of an SMTP (Simple Mail Transfer Protocol) message. When CVE-2019-10149 is successfully exploited, adversaries are able to execute code of their choosing. When the vulnerability is exploited, the victim machine would subsequently download and execute a shell script from a domain owned by attackers, which will try to add privileged users, disable network security settings, and update SSH configurations to enable additional remote access. During the attack, the Sandworm group also exploits other vulnerabilities in Exim mail servers: CVE-2019-10149, CVE-2019-15846, and CVE-2019-16928. The group has been exploiting unpatched mail servers in this way since at least August 2019.

The community threat hunting rule released by Osman Demir enables detection of attacks on Exim servers performed by Sandworm group:

The rule has translations for the following platforms:

SIEM: ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio, 

EDR: Carbon Black, Elastic Endpoint


Tactics: Initial Access

Techniques:  Exploit Public-Facing Application (T1190)