Security Experts:

Russia-linked Pawn Storm Attackers Exploiting New Adobe Flash Zero-Day

APT28 Attackers

While Adobe released security updates on Tuesday to address multiple security vulnerabilities in Flash Player, Reader and Acrobat, a prominent Russian threat actor group is actively exploiting an unpatched Flash Zero-Day vulnerability in attacks.

According to Trend Micro, the threat group behind Operation Pawn Storm (also known as APT28, Sednit, Fancy Bear, Sofacy and Tsar Team) is using Adobe Flash zero-day exploit code in attacks targeting several Ministries of Foreign Affairs. The attackers, which are believed to be linked to the Russian government, have previously targeted military, defense industry, government and media organizations from across the world.

Despite recent patches issued by Adobe on Oct. 13, this vulnerability is still unpatched, leaving Flash users vulnerable to attacks. The Flash zero-day affects at least Adobe Flash Player versions 19.0.0.185 and 19.0.0.207, the security firm said.

Trend Micro found in its analysis that several Ministries of Foreign Affairs were targeted with spear phishing e-mails containing links to malicious Web sites that hosted the exploit. Subject lines used to entice users to click included many “interesting” events such as:

“Suicide car bomb targets NATO troop convoy Kabul”

“Syrian troops make gains as Putin defends air strikes”

“Israel launches airstrikes on targets in Gaza”

“Russia warns of response to reported US nuke buildup in Turkey, Europe”

“US military reports 75 US-trained rebels return Syria”

Trend Micro researchers Brooks Li, Feike Hacquebord, and Peter Pi explained in a blog post that recent URLs hosting the new Flash zero-day exploits are similar previously used in attacks that targeted NATO members and the White House in April of this year.

“Ministries of Foreign Affairs have become a particular focus of interest for Pawn Storm recently,” the researchers wrote. “Aside from malware attacks, fake Outlook Web Access (OWA) servers were also set up for various ministries. These are used for simple, but extremely effective, credential phishing attacks. One Ministry of Foreign Affairs got its DNS settings for incoming mail compromised. This means that Pawn Storm has been intercepting incoming e-mail to this organization for an extended period of time in 2015.” 

The campaign has also targeted the spouses of senior U.S. officials, Tom Kellermann, Chief Cybersecurity Officer at Trend Micro, told SecurityWeek.

In April, FireEye reported that the threat group had used Flash Player and Windows zero-days in a highly targeted attack aimed at an international government entity. Operation Pawn Storm is assumed to be the same threat actors tracked by FireEye as APT28.

Early this year, Trend Micro found the attackers using malware targeting iOS devices to infect users and steal sensitive information.  

“Pawn Storm has used six zero days in the last year and illustrates organized activity of cyber militias in the former Soviet Bloc,” Kellermann said.

While attribution is always difficult, the Pawn Storm attackers are a skilled team of developers and operators collecting intelligence on defense and geopolitical issues that would clearly benefit Russia. Other organizations targeted by the group in the past include the Caucasus (particularly the Georgian government), Eastern European governments and militaries, and specific security organizations. The threat actors have also targeted attendees of European defense exhibitions, including the Farnborough Airshow 2014, EuroNaval 2014, EUROSATORY 2014, and the Counter Terror Expo.

Related'Operation Pawn Storm' Continues to Step Up Attack Activity

Related: 'Operation Pawn Storm' Cyber-Espionage Campaign Hits Organizations

Related: Cyber Espionage Group Adds iOS Spyware to Its Arsenal

view counter
For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.