Microsoft said Tuesday it will release a patch next week to block a hacking threat by a group linked to Russia’s GRU intelligence agency that exploits Windows and Adobe Flash to take over a user’s computer.
In a blog post, Microsoft criticized Google’s Threat Analysis Group, which discovered the hack, for revealing the problem Monday, before security patches were ready, “putting customers at increased risk.” The patch is scheduled for release next Tuesday as part of the scheduled November update.
Microsoft identified the group responsible for the attack as Strontium, also known as Fancy Bear and APT28. Reuters reported it has been linked to the Russian government and U.S. political hacks. The group generally targets government agencies, diplomatic institutions and military organizations as well as defense contractors and public policy research groups in spear-phishing attacks. It frequently uses email accounts from one victim to send infected emails to a second victim and will pursue targets for months.
The hackers burrow deep into the victim network to steal sensitive information.
The latest Strontium attack exploits Adobe Flash to gain control of the browser process, then elevates privileges to escape the browser and install a backdoor to provide access to the victim’s computer.
Adobe released a patch for Flash Monday and Microsoft already has partially addressed the privilege issue but warned there is no guarantee the “attackers will not find an alternative workaround.” Microsoft suggests those not using Edge as their browser to implement strict code integrity policies.
Google said it revealed the problem, which it discovered Saturday, because it was being actively exploited.
Fancy Bear fancies itself standing “for fair play and clean sport,” bragging on its website about hacking the World Anti-Doping Agency.
Earlier this year, Microsoft filed a complaint in federal court in Alexandria, Virginia, seeking a court order to force the hackers to return all the information obtained illegally and relinquish all domain names used in the spear-phishing attacks.