Arrow-right Camera
The Spokesman-Review Newspaper

The Spokesman-Review Newspaper The Spokesman-Review

Spokane, Washington  Est. May 19, 1883
Clear Night 40° Clear
News >  Spokane

NSA: Russian agents have been hacking major email program

FILE - This Feb 23, 2019, file photo shows the inside of a computer in Jersey City, N.J. The U.S. National Security Agency said Thursday, May 28, 2020, the same Russian military hacking group that interfered in the 2016 presidential election and unleashed a devastating malware attack the following year has been exploiting a major email server program since last August or earlier. (AP Photo/Jenny Kane, File) (Jenny Kane / AP)
FILE - This Feb 23, 2019, file photo shows the inside of a computer in Jersey City, N.J. The U.S. National Security Agency said Thursday, May 28, 2020, the same Russian military hacking group that interfered in the 2016 presidential election and unleashed a devastating malware attack the following year has been exploiting a major email server program since last August or earlier. (AP Photo/Jenny Kane, File) (Jenny Kane / AP)
By Frank Bajak Associated Press

BOSTON – The U.S. National Security Agency says the same Russian military hacking group that interfered in the 2016 presidential election and unleashed a devastating malware attack the following year has been exploiting a major email server program since last August or earlier.

The timing of the agency’s advisory Thursday was unusual considering that the critical vulnerability in the Exim Mail Transfer Agent – which mostly runs on Unix-type operating systems – was identified 11 months ago, when a patch was issued.

Exim is so widely used – though far less known than such commercial alternatives as Microsoft’s proprietary Exchange – that some companies and government agencies that run it may still not have patched the vulnerability, said Jake Williams, president of Rendition Infosec and a former U.S. government hacker.

It took Williams about a minute of online probing on Thursday to find a potentially vulnerable government server in the U.K.

He speculated that the NSA might have issued to advisory to publicize the IP addresses and a domain name used by the Russian military group, known as Sandworm, in its hacking campaign – in hopes of thwarting their use for other means.

The Exim exploit allows an attacker to gain access using specially crafted email and install programs, modify data and create new accounts – gaining a foothold on a compromised network.

The NSA did not say who the Russian military hackers have targeted. But senior U.S. intelligence officials have warned in recent months that Kremlin agents are engaged in activities that could threaten the integrity of the November presidential election.

An NSA official reached by the Associated Press would only say that the agency is publicizing the vulnerability because, despite an October warning by British officials, it “has continued to be exploited and needs to be patched.” The hope, in now publicizing Sandworm’s role, is to further motivate patching, said the official, who spoke on condition they not be further identified.

Sandworm agents, tied to Russia’s GRU military intelligence arm, wreaked havoc on the 2016 U.S. presidential election, stealing and exposing Democratic National Committee emails and breaking into voter registration databases.

They also have been blamed by the U.S. and U.K. governments for the June 2017 NotPetya cyberattack, which targeted businesses that operate in Ukraine. It caused at least $10 billion in damage globally, most notably to the Danish shipping multinational Maersk.

The Spokesman-Review Newspaper

Local journalism is essential.

Give directly to The Spokesman-Review's Northwest Passages community forums series -- which helps to offset the costs of several reporter and editor positions at the newspaper -- by using the easy options below. Gifts processed in this system are not tax deductible, but are predominately used to help meet the local financial requirements needed to receive national matching-grant funds.

Active Person

Subscribe to the Coronavirus newsletter

Get the day’s latest Coronavirus news delivered to your inbox by subscribing to our newsletter.