Spyware group ‘Knotweed’ targeting firms in Europe, Microsoft says

28 Jul 2022

Image: © terovesalainen/Stock.adobe.com

Microsoft said a spyware called Subzero has been used to target law firms, banks and strategic consultancies in countries such as Austria, the UK and Panama.

An Austrian “cyber mercenary” group is using Windows and Adobe exploits to target organisations with spyware, according to Microsoft.

Researchers at Microsoft’s Threat Intelligence Center and Security Response Center said the organisation is a private-sector offensive actor (PSOA) called DSIRF, but tracked by Microsoft with the codename Knotweed.

DSIRF claims to help corporations with services such as business intelligence, with products that are tailored to suit each client, according to its website.

However, Microsoft said this firm has developed a spyware called Subzero, which has been used in “limited and targeted attacks” against European and Central American customers.

Microsoft said it has observed attacks targeting law firms, banks and strategic consultancies in countries such as Austria, the UK and Panama.

“As part of our investigation into the utility of this malware, Microsoft’s communications with a Subzero victim revealed that they had not commissioned any red teaming or penetration testing, and confirmed that it was unauthorised, malicious activity,” Microsoft said in a blogpost.

It added that it has found multiple links between DSIRF and the malware used in these attacks, such as command-and-control infrastructure used by the malware directly linking to the firm.

Microsoft digital security unit general manager, Cristin Goodwin, said “commercialised cyberweapons” are threatening consumers, businesses and governments.

“Microsoft believes that allowing private sector offensive actors, or PSOAs, to develop and sell surveillance and intrusion capabilities to unscrupulous governments and business interests endangers basic human rights,” Goodwin said in a blogpost.

Microsoft said it has issued a software update to mitigate the use of the found vulnerabilities. The tech giant has also published signatures of the malware to “protect Windows customers from exploits Knotweed was using to help deliver its malware”.

Microsoft shared written testimony it gave to a US committee hearing on commercial spyware and cyber surveillance.

“This describes how we are increasingly seeing PSOAs selling their tools to authoritarian governments that act inconsistently with the rule of law and human rights norms, where they are used to target human rights advocates, journalists, dissidents and others involved in civil society,” Goodwin said.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic