Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Pawn Storm Group Targets Turkey

Pawn Storm, the cyber espionage group linked by some researchers to Russia, has recently started targeting government and news organizations in Turkey, Trend Micro reported on Monday.

Pawn Storm, the cyber espionage group linked by some researchers to Russia, has recently started targeting government and news organizations in Turkey, Trend Micro reported on Monday.

The economic and politically-motivated threat actor, which has been active for the past decade, is also known as APT28, Sednit, Sofacy, Fancy Bear and Tsar Team. The group has focused its activities on individuals and military, government, media and defense organizations from across the world, including Ukraine, Poland, Russia, the United States, and various NATO member countries. The list of known targets also includes governments in Europe, Asia and the Middle East.

Trend Micro recently discovered that Turkey has also been added to Pawn Storm’s list of targets. More precisely, starting with mid-January and until late February, the group was spotted attacking the Turkish government’s Directorate General of Press and Information, the country’s Grand National Assembly, the newspaper Hürriyet, and the Prime Minister’s Office (Başbakanlık).

Experts noted that if Pawn Storm is really a Russian group, it would make sense for it to target Turkey. Russia could have an interest in Turkey for several reasons, including the incident in which Turkey shot down a Russian warplane in the Turkey-Syria border area, disputes related to Kurdish groups, and refugees entering Europe via Turkey.

In one attack against Turkey, Pawn Storm set up fake Outlook Web Access (OWA) servers in order to gain access to sensitive information. The cyber-espionage actor is known for using this technique, including in attacks aimed at defense companies in the U.S. and organizations tasked with investigating the crash of Malaysia Airlines Flight MH17.

“Phishing attacks against OWA users are relatively inexpensive for the attackers, but can be highly effective to steal sensitive information,” Trend Micro senior threat researcher Feike Hacquebord explained in a blog post.

Similar to other Pawn Storm targets, Turkey could also be perceived as a threat to Russia. Experts believe the latest attacks are related to previous operations targeting the Syrian opposition and Arab countries that criticized Russia’s intervention in Syria.

“The target list above shows that Pawn Storm may be after political information from Turkey: even the Turkish parliament got attacked. The fact they have set up at least two fake OWA servers for one of the largest Turkish newspapers may also be considered as further proof that they are also after information on what is going on in major media outlets in that country,” Hacquebord noted.

Trend Micro said it managed to warn Turkish authorities about the attacks, allowing them to take action before too much damage was caused.

In the operation aimed at Turkey, the cyber espionage group leveraged infrastructure provided by a company in the Netherlands, whose services had been previously used by several other threat actors, including Carbanak cybercriminals and the Gaza cybergang.

Related: Fysbis Backdoor Preferred by Pawn Storm Group to Target Linux

Related: Oracle Patches Java Zero-Day Exploited by Pawn Storm Attackers

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Malware & Threats

A GitHub Codespaces feature meant to help with code development and collaboration can be abused for malware delivery.