The attackers behind Operation Pawn Storm continue to evolve their infrastructure and tactics as they swarm their chosen targets.
According to Trend Micro, new intelligence on the group shows they have introduced new infrastructure and are “zeroing in” on targets such as North Atlantic Treaty Organization (NATO) members. The group has been active since 2007, and is believed to be linked to the Russian government. It has targeted military, defense industry as well as government and media organizations around the globe.
“The first quarter of 2015 has seen a great deal of activity from the group,” blogged Feike Hacquebord, senior threat researcher at Trend Micro. “Most notably this involved setting up dozens of exploit URLs and a dozen new command-and-control (C&C) servers targeting NATO members and governments in Europe, Asia and the Middle East.”
According to Hacquebord, the group has traditionally used three distinct attack strategies. One was using spear-phishing emails with malicious Microsoft Office documents laced with the SEDNIT/Sofacy malware. Another was to inject exploits into legitimate Polish government sites that lead victims to the aforementioned malware. Their third strategy has been to send out phishing emails redirecting users to fake Microsoft Outlook Web Access (OWA) login pages.
“In a slightly different modus operandi from the usual, we observed Pawn Storm attackers sending out specially-crafted emails designed to trick users into clicking on a malicious link,” he blogged. “In one case, the subject of the spam e-mail is the Southern Gas Corridor that the European Union initiated to become less dependent on Russian Gas. Other e-mails have similar geopolitical subjects, for example the Russian-Ukrainian conflict and the Open Skies Consultative Commission of the OSCE.”
The emails typically contain a link to what appears to be a legitimate news site. When the user clicks on the link, he or she will load a fingerprinting script that feeds back details like their time zone, browser and installed plugins to the attackers.
“When certain criteria are met the fake news site may respond with a message that an HTML5 plugin has to be installed to view the contents of the site,” he blogged. “The add-on in question turns out to be a version of X-Agent or Fysbis spyware if you’re a Linux user, and Sednit if you’re running Windows.”
Among the organizations hit by the group included the White House. According to Trend Micro, the attackers targeted three popular YouTube bloggers with a Gmail phishing attack on Jan. 26 – four days after the bloggers had interviewed President Barack Obama at the White House.
“This is a classic island hopping technique, in which attackers focus their efforts not on the actual target but on companies or people that might interact with that target, but which may have weaker security in place,” he blogged. “In a similar way, a well-known military correspondent for a large US newspaper was hit via his personal email address in December 2014, probably leaking his credentials. Later that month Operation Pawn Storm attacked around 55 employees of the same newspaper on their corporate accounts.”
Just recently, the attackers took to using malware targeting iOS devices to infect users.