Security Experts:

Connect with us

Hi, what are you looking for?



Russia-linked Pawn Storm Attackers Exploiting New Adobe Flash Zero-Day

APT28 Attackers

APT28 Attackers

While Adobe released security updates on Tuesday to address multiple security vulnerabilities in Flash Player, Reader and Acrobat, a prominent Russian threat actor group is actively exploiting an unpatched Flash Zero-Day vulnerability in attacks.

According to Trend Micro, the threat group behind Operation Pawn Storm (also known as APT28, Sednit, Fancy Bear, Sofacy and Tsar Team) is using Adobe Flash zero-day exploit code in attacks targeting several Ministries of Foreign Affairs. The attackers, which are believed to be linked to the Russian government, have previously targeted military, defense industry, government and media organizations from across the world.

Despite recent patches issued by Adobe on Oct. 13, this vulnerability is still unpatched, leaving Flash users vulnerable to attacks. The Flash zero-day affects at least Adobe Flash Player versions and, the security firm said.

Trend Micro found in its analysis that several Ministries of Foreign Affairs were targeted with spear phishing e-mails containing links to malicious Web sites that hosted the exploit. Subject lines used to entice users to click included many “interesting” events such as:

“Suicide car bomb targets NATO troop convoy Kabul”

“Syrian troops make gains as Putin defends air strikes”

“Israel launches airstrikes on targets in Gaza”

“Russia warns of response to reported US nuke buildup in Turkey, Europe”

“US military reports 75 US-trained rebels return Syria”

Trend Micro researchers Brooks Li, Feike Hacquebord, and Peter Pi explained in a blog post that recent URLs hosting the new Flash zero-day exploits are similar previously used in attacks that targeted NATO members and the White House in April of this year.

“Ministries of Foreign Affairs have become a particular focus of interest for Pawn Storm recently,” the researchers wrote. “Aside from malware attacks, fake Outlook Web Access (OWA) servers were also set up for various ministries. These are used for simple, but extremely effective, credential phishing attacks. One Ministry of Foreign Affairs got its DNS settings for incoming mail compromised. This means that Pawn Storm has been intercepting incoming e-mail to this organization for an extended period of time in 2015.” 

The campaign has also targeted the spouses of senior U.S. officials, Tom Kellermann, Chief Cybersecurity Officer at Trend Micro, told SecurityWeek.

In April, FireEye reported that the threat group had used Flash Player and Windows zero-days in a highly targeted attack aimed at an international government entity. Operation Pawn Storm is assumed to be the same threat actors tracked by FireEye as APT28.

Early this year, Trend Micro found the attackers using malware targeting iOS devices to infect users and steal sensitive information.  

“Pawn Storm has used six zero days in the last year and illustrates organized activity of cyber militias in the former Soviet Bloc,” Kellermann said.

While attribution is always difficult, the Pawn Storm attackers are a skilled team of developers and operators collecting intelligence on defense and geopolitical issues that would clearly benefit Russia. Other organizations targeted by the group in the past include the Caucasus (particularly the Georgian government), Eastern European governments and militaries, and specific security organizations. The threat actors have also targeted attendees of European defense exhibitions, including the Farnborough Airshow 2014, EuroNaval 2014, EUROSATORY 2014, and the Counter Terror Expo.

Related‘Operation Pawn Storm’ Continues to Step Up Attack Activity

Related: ‘Operation Pawn Storm’ Cyber-Espionage Campaign Hits Organizations

Related: Cyber Espionage Group Adds iOS Spyware to Its Arsenal

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


A newly identified threat actor tracked as NewsPenguin has been targeting military organizations in Pakistan with sophisticated malware.