Security Experts:

Connect with us

Hi, what are you looking for?



Pawn Storm Attackers Target MH17 Plane Crash Investigators

Organizations tasked with investigating the crash of Malaysia Airlines Flight MH17 have been targeted by the Russia-linked threat group known as Pawn Storm, Trend Micro reported on Thursday.

Organizations tasked with investigating the crash of Malaysia Airlines Flight MH17 have been targeted by the Russia-linked threat group known as Pawn Storm, Trend Micro reported on Thursday.

Flight MH17, traveling from Amsterdam to Kuala Lumpur, crashed on July 17, 2014 after being hit by a Russian-made missile while flying over a conflict zone in eastern Ukraine. The investigation into the incident was led by the Dutch Safety Board (DSB), which published a report on the crash of MH17 on October 13.

According to Trend Micro researchers, the Pawn Storm cyber espionage group (also known as Sednit, APT28, Fancy Bear, Sofacy and Tsar Team) targeted the DSB both before and after the organization published its report on the incident.

“We believe that a coordinated attack from several sides was launched to get unauthorized access to sensitive material of the investigation conducted by Dutch, Malaysian, Australian, Belgian, and Ukrainian authorities,” researchers said.

The security firm discovered that the attackers set up fake Secure File Transfer Protocol (SFTP) and VPN servers designed to mimic servers of the Dutch Safety Board most likely in an effort to phish the credentials of the organization’s staff. The goal was to obtain credentials that they could use to access the legitimate SFTP and VPN servers.

Trend Micro says this is the first time it has found direct evidence that an APT actor has targeted a VPN server.

“The VPN server of the Safety Board looks to use temporary tokens for authentication. However, these tokens can be phished in a straightforward way and tokens alone do not protect against one-time unauthorized access by third parties, once the target falls for the phishing attack,” experts said.

In addition to the DSB, the attackers also targeted one of the organization’s key partners using a rogue Outlook Web Access (OWA) server, a technique previously used by Pawn Storm in attacks aimed at defense companies in the United States. The security company says it has warned the targeted entity in an early stage of the attack so the attempt was probably blocked.

Over the past couple of months, Pawn Storm has also taken an increased interest in Syrian opposition groups and Arab countries that object to Russia’s intervention in Syria. Trend Micro says the group has set up several fake OWA servers in an effort to target the military, the Foreign Affairs Ministries, and the Defense Ministries of these countries.

The Russia-linked threat actor’s activities made the news earlier this month after researchers discovered that they had been using an Adobe Flash Player zero-day to target Foreign Affairs Ministries.

Trend Micro also revealed this week that the group had used a Java zero-day patched by Oracle with the release of the October 2015 CPU in attacks aimed at the White House and NATO member countries.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.

M&A Tracker

The SecurityWeek editorial team huddled over the holidays to look back at the stories that shaped 2022 and, more importantly, to stare into a...


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


Twenty-one cybersecurity-related M&A deals were announced in December 2022.

Application Security

A security vulnerability identified on AliExpress, the wholesale marketplace owned by the Chinese e-commerce giant Alibaba, could have been exploited by hackers to hijack...