Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

‘Operation Pawn Storm’ Continues to Step Up Attack Activity

The attackers behind Operation Pawn Storm continue to evolve their infrastructure and tactics as they swarm their chosen targets.

The attackers behind Operation Pawn Storm continue to evolve their infrastructure and tactics as they swarm their chosen targets.

According to Trend Micro, new intelligence on the group shows they have introduced new infrastructure and are “zeroing in” on targets such as North Atlantic Treaty Organization (NATO) members. The group has been active since 2007, and is believed to be linked to the Russian government. It has targeted military, defense industry as well as government and media organizations around the globe.

“The first quarter of 2015 has seen a great deal of activity from the group,” blogged Feike Hacquebord, senior threat researcher at Trend Micro. “Most notably this involved setting up dozens of exploit URLs and a dozen new command-and-control (C&C) servers targeting NATO members and governments in Europe, Asia and the Middle East.”

According to Hacquebord, the group has traditionally used three distinct attack strategies. One was using spear-phishing emails with malicious Microsoft Office documents laced with the SEDNIT/Sofacy malware. Another was to inject exploits into legitimate Polish government sites that lead victims to the aforementioned malware. Their third strategy has been to send out phishing emails redirecting users to fake Microsoft Outlook Web Access (OWA) login pages.

“In a slightly different modus operandi from the usual, we observed Pawn Storm attackers sending out specially-crafted emails designed to trick users into clicking on a malicious link,” he blogged. “In one case, the subject of the spam e-mail is the Southern Gas Corridor that the European Union initiated to become less dependent on Russian Gas. Other e-mails have similar geopolitical subjects, for example the Russian-Ukrainian conflict and the Open Skies Consultative Commission of the OSCE.”

The emails typically contain a link to what appears to be a legitimate news site. When the user clicks on the link, he or she will load a fingerprinting script that feeds back details like their time zone, browser and installed plugins to the attackers.

“When certain criteria are met the fake news site may respond with a message that an HTML5 plugin has to be installed to view the contents of the site,” he blogged. “The add-on in question turns out to be a version of X-Agent or Fysbis spyware if you’re a Linux user, and Sednit if you’re running Windows.”

Among the organizations hit by the group included the White House. According to Trend Micro, the attackers targeted three popular YouTube bloggers with a Gmail phishing attack on Jan. 26 – four days after the bloggers had interviewed President Barack Obama at the White House.

Advertisement. Scroll to continue reading.

“This is a classic island hopping technique, in which attackers focus their efforts not on the actual target but on companies or people that might interact with that target, but which may have weaker security in place,” he blogged. “In a similar way, a well-known military correspondent for a large US newspaper was hit via his personal email address in December 2014, probably leaking his credentials. Later that month Operation Pawn Storm attacked around 55 employees of the same newspaper on their corporate accounts.”

Just recently, the attackers took to using malware targeting iOS devices to infect users. 

“Organizations must remain on high alert for these kinds of attack, as Operation Pawn Storm hackers go to great lengths to make their emails appear legitimate,” he added. “Military and government bodies in the US, Europe and Asia especially must invest in the right advanced cyber security tools to block phishing and malware downloads, and improve user training and education to mitigate the risk of attack.”
Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.