Researchers at Trend Micro today released a paper on a cyber-espionage operation targeting military, government and media organizations around the world.
The group behind the operation is believed to have been active since at least 2007 and continues to launch new campaigns against targets throughout the world, including the United States. In June 2014 they compromised government websites in Poland and last month infected the website for Power Exchange in Poland as well.
“The cyber criminals behind Operation Pawn Storm are using several different attack scenarios: spear-phishing emails with malicious Microsoft Office documents lead to SEDNIT/Sofacy malware, very selective exploits injected into legitimate websites that will also lead to SEDNIT/Sofacy malware, and phishing emails that redirect victims to fake Outlook Web Access login pages,” explained Trend Micro Senior Threats Researcher Jim Gogolinski.
“Our investigation into Pawn Storm has shown that the attackers have done their homework,” he added. “Their choices of targets and the use of SEDNIT malware indicate the attackers are very experienced; SEDNIT has been designed to penetrate their targets’ defenses and remain persistent in order to capture as much information as they can.”
The spear-phishing emails sent by Pawn Storm attackers can be very target specific. For example, in one instance, a spear-phishing email was sent to just three employees of the legal department of a billion-dollar multinational firm, Gogolinski blogged.
“The e-mail addresses of the recipients are not advertised anywhere online,” he noted. “The company in question was involved in an important legal dispute, so this shows a clear economic espionage motive of the attackers.”
In Trend Micro’s report, the researchers note that the attackers used a mix of spear-phishing emails and specially-crafted webmail service phishing websites to gain access to victims’ inboxes. The goal of the attackers was to get a foothold in the target organizations. To avoid raising suspicions, the attackers used well-known events and conferences such as the Asia-Pacific Economic Cooperation (APEC) Forum and the Middle East Homeland Security Summit 2014 as part of social engineering schemes designed to trick their targets.
“Apart from effective phishing tactics, the threat actors used a combination of proven targeted attack staples to compromise systems and get in to target networks—exploits and data-stealing malware. SEDNIT variants particularly proved useful, as these allowed the threat actors to steal all manners of sensitive information from the victims’ computers while effectively evading detection,” according to the report.
The report can be read here.
More from Brian Prince
- U.S. Healthcare Companies Hardest Hit by ‘Stegoloader’ Malware
- CryptoWall Ransomware Cost Victims More Than $18 Million Since April 2014: FBI
- New Adobe Flash Player Flaw Shares Similarities With Previous Vulnerability: Trend Micro
- Visibility Challenges Industrial Control System Security: Survey
- Adobe Flash Player Zero-Day Exploited in Attack Campaign
- Researchers Demonstrate Stealing Encryption Keys Via Radio
- Researchers Uncover Critical RubyGems Vulnerabilities
- NSA, GCHQ Linked to Efforts to Compromise Antivirus Vendors: Report
Latest News
- Intel Co-founder, Philanthropist Gordon Moore Dies at 94
- Google Leads $16 Million Investment in Dope.security
- US Charges 20-Year-Old Head of Hacker Site BreachForums
- Tesla Hacked Twice at Pwn2Own Exploit Contest
- CISA Ships ‘Untitled Goose Tool’ to Hunt for Microsoft Azure Cloud Infections
- Critical WooCommerce Payments Vulnerability Leads to Site Takeover
- PoC Exploit Published for Just-Patched Veeam Data Backup Solution Flaw
- CISA Gets Proactive With New Pre-Ransomware Alerts
