Pawn Storm, the cyber espionage group linked by some researchers to Russia, has recently started targeting government and news organizations in Turkey, Trend Micro reported on Monday.
The economic and politically-motivated threat actor, which has been active for the past decade, is also known as APT28, Sednit, Sofacy, Fancy Bear and Tsar Team. The group has focused its activities on individuals and military, government, media and defense organizations from across the world, including Ukraine, Poland, Russia, the United States, and various NATO member countries. The list of known targets also includes governments in Europe, Asia and the Middle East.
Trend Micro recently discovered that Turkey has also been added to Pawn Storm’s list of targets. More precisely, starting with mid-January and until late February, the group was spotted attacking the Turkish government’s Directorate General of Press and Information, the country’s Grand National Assembly, the newspaper Hürriyet, and the Prime Minister’s Office (Başbakanlık).
Experts noted that if Pawn Storm is really a Russian group, it would make sense for it to target Turkey. Russia could have an interest in Turkey for several reasons, including the incident in which Turkey shot down a Russian warplane in the Turkey-Syria border area, disputes related to Kurdish groups, and refugees entering Europe via Turkey.
In one attack against Turkey, Pawn Storm set up fake Outlook Web Access (OWA) servers in order to gain access to sensitive information. The cyber-espionage actor is known for using this technique, including in attacks aimed at defense companies in the U.S. and organizations tasked with investigating the crash of Malaysia Airlines Flight MH17.
“Phishing attacks against OWA users are relatively inexpensive for the attackers, but can be highly effective to steal sensitive information,” Trend Micro senior threat researcher Feike Hacquebord explained in a blog post.
Similar to other Pawn Storm targets, Turkey could also be perceived as a threat to Russia. Experts believe the latest attacks are related to previous operations targeting the Syrian opposition and Arab countries that criticized Russia’s intervention in Syria.
“The target list above shows that Pawn Storm may be after political information from Turkey: even the Turkish parliament got attacked. The fact they have set up at least two fake OWA servers for one of the largest Turkish newspapers may also be considered as further proof that they are also after information on what is going on in major media outlets in that country,” Hacquebord noted.
Trend Micro said it managed to warn Turkish authorities about the attacks, allowing them to take action before too much damage was caused.
In the operation aimed at Turkey, the cyber espionage group leveraged infrastructure provided by a company in the Netherlands, whose services had been previously used by several other threat actors, including Carbanak cybercriminals and the Gaza cybergang.