An espionage campaign targeting hundreds of organisations around the globe is using two commonly exploited flaws in Microsoft Word to steal corporate data.
Kaspersky Lab researchers said the campaign has been active since early 2004, though the majority of infections occurred in the last three years.
Throughout the extensive campaign, the NetTraveler group has infected 350 victims in 40 countries in which government and military organisations, activists, oil and gas companies and research centers were the primary targets.
Victims have mostly been in Mongolia, Russia and India, but organisations in the United States are among those impacted.
Between 2010 and 2013 – the period of time when researchers saw the most cyber espionage activity – the group has stolen data belonging to organisations in the space exploration, nanotechnology, medicine, communications and nuclear power and energy production industries.
Since 2004, researchers estimate that more than 22 gigabytes of stolen data has been stored on the NetTraveler group's command-and-control servers.
To deliver the malicious toolkit, which also installs other information-stealing malware once downloaded onto victims' computers, attackers deliver spear phishing emails that are carefully crafted to lure the intended target into opening weaponized, attached documents.
Perpetrators email Microsoft Word documents to their targets and exploit two vulnerabilities, CVE-2012-0158 and CVE-2010-333, to rig the attachments with the NetTraveler toolkit.
The flaws, for which Microsoft has already released patches, were also used to deliver the Rocra trojan in a five-year-long espionage campaign, called Red October, which was uncovered by Kaspersky in January.
Researchers say the Red October and NetTraveler campaigns weren't staged by the same group. However, as a Russian-speaking alliance was thought to be behind Red October. Kaspersky believes some 50 individuals, whose native language is Chinese, are operating the NetTraveler spy ring.
Kaspersky Lab researcher Kurt Baumgartner said the Word exploits are frequently used by attackers simply because they are easy to leverage.
“Exploits targeting CVE-2012-0158 and CVE-2010-3333 generally are reliable, easily built by a number of exploit generation kits, and target the almost ubiquitous Microsoft Office suite that appears to be poorly maintained at many targeted organisations,” Baumgartner said.
Weaponized documents also “fit well into social engineering and spear phishing schemes” – often used by groups to gain access to corporate data, he said.
The NetTraveler campaign is another prime example of how cyber espionage groups continue to rely on businesses' inadequate patching practices to easily infiltrate organisations.
“Witnessing how effectively these security holes have been abused for the past couple of years is a real concern,” Baumgartner said. “It's unfortunate that many organisations do not have the resources or expertise to support their networks adequately.”