Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

‘Operation Pawn Storm’ Continues to Step Up Attack Activity

The attackers behind Operation Pawn Storm continue to evolve their infrastructure and tactics as they swarm their chosen targets.

The attackers behind Operation Pawn Storm continue to evolve their infrastructure and tactics as they swarm their chosen targets.

According to Trend Micro, new intelligence on the group shows they have introduced new infrastructure and are “zeroing in” on targets such as North Atlantic Treaty Organization (NATO) members. The group has been active since 2007, and is believed to be linked to the Russian government. It has targeted military, defense industry as well as government and media organizations around the globe.

“The first quarter of 2015 has seen a great deal of activity from the group,” blogged Feike Hacquebord, senior threat researcher at Trend Micro. “Most notably this involved setting up dozens of exploit URLs and a dozen new command-and-control (C&C) servers targeting NATO members and governments in Europe, Asia and the Middle East.”

According to Hacquebord, the group has traditionally used three distinct attack strategies. One was using spear-phishing emails with malicious Microsoft Office documents laced with the SEDNIT/Sofacy malware. Another was to inject exploits into legitimate Polish government sites that lead victims to the aforementioned malware. Their third strategy has been to send out phishing emails redirecting users to fake Microsoft Outlook Web Access (OWA) login pages.

“In a slightly different modus operandi from the usual, we observed Pawn Storm attackers sending out specially-crafted emails designed to trick users into clicking on a malicious link,” he blogged. “In one case, the subject of the spam e-mail is the Southern Gas Corridor that the European Union initiated to become less dependent on Russian Gas. Other e-mails have similar geopolitical subjects, for example the Russian-Ukrainian conflict and the Open Skies Consultative Commission of the OSCE.”

The emails typically contain a link to what appears to be a legitimate news site. When the user clicks on the link, he or she will load a fingerprinting script that feeds back details like their time zone, browser and installed plugins to the attackers.

“When certain criteria are met the fake news site may respond with a message that an HTML5 plugin has to be installed to view the contents of the site,” he blogged. “The add-on in question turns out to be a version of X-Agent or Fysbis spyware if you’re a Linux user, and Sednit if you’re running Windows.”

Among the organizations hit by the group included the White House. According to Trend Micro, the attackers targeted three popular YouTube bloggers with a Gmail phishing attack on Jan. 26 – four days after the bloggers had interviewed President Barack Obama at the White House.

“This is a classic island hopping technique, in which attackers focus their efforts not on the actual target but on companies or people that might interact with that target, but which may have weaker security in place,” he blogged. “In a similar way, a well-known military correspondent for a large US newspaper was hit via his personal email address in December 2014, probably leaking his credentials. Later that month Operation Pawn Storm attacked around 55 employees of the same newspaper on their corporate accounts.”

Just recently, the attackers took to using malware targeting iOS devices to infect users. 

“Organizations must remain on high alert for these kinds of attack, as Operation Pawn Storm hackers go to great lengths to make their emails appear legitimate,” he added. “Military and government bodies in the US, Europe and Asia especially must invest in the right advanced cyber security tools to block phishing and malware downloads, and improve user training and education to mitigate the risk of attack.”

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.