Security Experts:

Pawn Storm Attackers Target MH17 Plane Crash Investigators

Organizations tasked with investigating the crash of Malaysia Airlines Flight MH17 have been targeted by the Russia-linked threat group known as Pawn Storm, Trend Micro reported on Thursday.

Flight MH17, traveling from Amsterdam to Kuala Lumpur, crashed on July 17, 2014 after being hit by a Russian-made missile while flying over a conflict zone in eastern Ukraine. The investigation into the incident was led by the Dutch Safety Board (DSB), which published a report on the crash of MH17 on October 13.

According to Trend Micro researchers, the Pawn Storm cyber espionage group (also known as Sednit, APT28, Fancy Bear, Sofacy and Tsar Team) targeted the DSB both before and after the organization published its report on the incident.

“We believe that a coordinated attack from several sides was launched to get unauthorized access to sensitive material of the investigation conducted by Dutch, Malaysian, Australian, Belgian, and Ukrainian authorities,” researchers said.

The security firm discovered that the attackers set up fake Secure File Transfer Protocol (SFTP) and VPN servers designed to mimic servers of the Dutch Safety Board most likely in an effort to phish the credentials of the organization’s staff. The goal was to obtain credentials that they could use to access the legitimate SFTP and VPN servers.

Trend Micro says this is the first time it has found direct evidence that an APT actor has targeted a VPN server.

“The VPN server of the Safety Board looks to use temporary tokens for authentication. However, these tokens can be phished in a straightforward way and tokens alone do not protect against one-time unauthorized access by third parties, once the target falls for the phishing attack,” experts said.

In addition to the DSB, the attackers also targeted one of the organization’s key partners using a rogue Outlook Web Access (OWA) server, a technique previously used by Pawn Storm in attacks aimed at defense companies in the United States. The security company says it has warned the targeted entity in an early stage of the attack so the attempt was probably blocked.

Over the past couple of months, Pawn Storm has also taken an increased interest in Syrian opposition groups and Arab countries that object to Russia’s intervention in Syria. Trend Micro says the group has set up several fake OWA servers in an effort to target the military, the Foreign Affairs Ministries, and the Defense Ministries of these countries.

The Russia-linked threat actor’s activities made the news earlier this month after researchers discovered that they had been using an Adobe Flash Player zero-day to target Foreign Affairs Ministries.

Trend Micro also revealed this week that the group had used a Java zero-day patched by Oracle with the release of the October 2015 CPU in attacks aimed at the White House and NATO member countries.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.