iSIGHT Partners released a report today outlining the exploitation of the 0-day vulnerability contained in CVE-2014-4114 by a threat
actor team they have dubbed “The Sandworm Team”. Believed to originate in Russia, their targets have included N.A.T.O, energy and telecommunications firms, as well as several European countries and US educational institutions.
Their common modus operandi is the use of spear phishing, luring users to open weaponized Powerpoint files that install one of the many BlackEnergy malware variants.
RSA has updated our 3rd party IOC feed to contain the IP addresses of the control servers being utilized by the Sandworm Team. Customers subscribing to the "Third Party IOC IPs" feed can perform the following pivot within Security Analytics to identify potentially compromised servers:
threat.desc begins “sandworm team”