Researchers at Trend Micro today released a paper on a cyber-espionage operation targeting military, government and media organizations around the world.
The group behind the operation is believed to have been active since at least 2007 and continues to launch new campaigns against targets throughout the world, including the United States. In June 2014 they compromised government websites in Poland and last month infected the website for Power Exchange in Poland as well.
“The cyber criminals behind Operation Pawn Storm are using several different attack scenarios: spear-phishing emails with malicious Microsoft Office documents lead to SEDNIT/Sofacy malware, very selective exploits injected into legitimate websites that will also lead to SEDNIT/Sofacy malware, and phishing emails that redirect victims to fake Outlook Web Access login pages,” explained Trend Micro Senior Threats Researcher Jim Gogolinski.
“Our investigation into Pawn Storm has shown that the attackers have done their homework,” he added. “Their choices of targets and the use of SEDNIT malware indicate the attackers are very experienced; SEDNIT has been designed to penetrate their targets’ defenses and remain persistent in order to capture as much information as they can.”
The spear-phishing emails sent by Pawn Storm attackers can be very target specific. For example, in one instance, a spear-phishing email was sent to just three employees of the legal department of a billion-dollar multinational firm, Gogolinski blogged.
“The e-mail addresses of the recipients are not advertised anywhere online,” he noted. “The company in question was involved in an important legal dispute, so this shows a clear economic espionage motive of the attackers.”
In Trend Micro’s report, the researchers note that the attackers used a mix of spear-phishing emails and specially-crafted webmail service phishing websites to gain access to victims’ inboxes. The goal of the attackers was to get a foothold in the target organizations. To avoid raising suspicions, the attackers used well-known events and conferences such as the Asia-Pacific Economic Cooperation (APEC) Forum and the Middle East Homeland Security Summit 2014 as part of social engineering schemes designed to trick their targets.
“Apart from effective phishing tactics, the threat actors used a combination of proven targeted attack staples to compromise systems and get in to target networks—exploits and data-stealing malware. SEDNIT variants particularly proved useful, as these allowed the threat actors to steal all manners of sensitive information from the victims’ computers while effectively evading detection,” according to the report.
The report can be read here.