NSA calls out Russian military hackers targeting mail relay software

The National Security Agency has issued a rare warning publicly attributing exploitation activity to Russian government hackers working for the GRU.
TEMP.ISOTOPE attribution

Hackers working for Russia’s military intelligence agency have been exploiting a vulnerability in a mail relay software since August of last year, according to an alert issued Thursday by the National Security Agency.

The NSA publicly attributes the actions to the Russian military’s Main Center for Special Technologies (GTsST). That group is more commonly known as Sandworm, the hacking group believed to be responsible for Ukraine grid disruptions.

The alert comes amid a broader agency effort to publicly share more unclassified threat intelligence. The NSA established a cybersecurity directorate last year to take the reins on providing real-time information in the hopes to prevent digital intrusions against U.S. networks.

The Exim Mail Transfer Agent (MTA) vulnerability exploited in this case, CVE-2019-10149, allows the threat actors to execute commands and code remotely.


When Sandworm exploits the vulnerability, victim machines download and execute a shell script from a Sandworm-controlled domain, according to the NSA. The script then works to disable network security settings, add privileged users, and execute an additional script to allow further exploitation.

When the patch for the vulnerability was issued last year, there was “no evidence” anyone was actively exploiting it, according to Exim. Within weeks of the patch being issued, the Russian military hackers began their onslaught.

The NSA is urging users to patch the flaw immediately in light of Sandworm’s exploitation. The vulnerability, if left unpatched, is “any attacker’s dream access,” the NSA said.

The NSA also issued guidance on how to detect attempts at exploiting the vulnerability, including advice on querying traffic logs and reviewing network security devices. The NSA also shared indicators of compromise, such as IP addresses and domains, associated with the attacks.

“Using a previous version of Exim leaves a system vulnerable to exploitation,” the NSA guidance says. “System administrators should continually check software versions and update as new versions become available.”


Since the new directorate launched, the NSA has issued multiple advisories on threats, including ones in enterprise software made by Citrix and Microsoft. Those prior warnings have not explicitly attributed the related malicious activity to foreign government actors.

In one case, the NSA warned about Turla, a Russian threat group, but only went so far as to say the group is “widely reported to be associated with Russian actors.”

The rare attribution from the NSA comes just three months after the U.S. government publicly connected Sandworm with the Russia’s GRU. The U.S. government has previously attributed the NotPetya worm and Olympic Destroyer attacks to the group.

An NSA official told CyberScoop that the agency took the rare step of publicly attributing this activity to the Russian government to prompt administrators to pay attention.

“We hope that by highlighting the risk of exploitation by a significant nation-state malicious actor will spur any vulnerable system owner to patch this known vulnerability,” the NSA official said.

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts