Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Russian Cyberspies Hacked High-Profile Email Accounts for Phishing

The Russia-linked cyber-espionage group known as Pawn Storm has been leveraging hijacked email accounts to send phishing emails to potential victims, Trend Micro’s security researchers reveal.

The Russia-linked cyber-espionage group known as Pawn Storm has been leveraging hijacked email accounts to send phishing emails to potential victims, Trend Micro’s security researchers reveal.

Active since at least 2004, the group is also referred to as APT28, Sednit, Fancy Bear, and Strontium, and is believed to be sponsored by Russia’s GRU intelligence agency. The adversary is believed to have orchestrated attacks on Ukraine, NATO countries, and the DNC ahead of the 2016 elections in the United States.

For years, Pawn Storm has relied on phishing to gain access to systems of interest, but Trend Micro observed a shift in tactics, techniques, and procedures (TTPs) in May 2019, when the group started using the compromised email accounts of high-profile targets to send credential phishing emails.

The scheme was used both in 2019 and 2020, with email accounts belonging to defense companies in the Middle East being abused the most. Other victims were observed in the transportation, utilities, and government sectors.

“The reason for the shift to the use of compromised email accounts of (mostly) defense companies in the Middle East is unclear. Pawn Storm could be attempting to evade spam filtering at the cost of making some of their successful compromises known to security companies. However, we did not notice a significant change in successful inbox deliveries of the group’s spam campaigns, making it difficult to understand the rationale behind the change in methodology,” Trend Micro notes in a new report (PDF).

Last year, the group also engaged in the probing of email servers and Microsoft Exchange Autodiscover servers worldwide, mainly targeting TCP port 443, IMAP ports 143 and 993, POP3 ports 110 and 995, and SMTP ports 465 and 587.

These attacks might have been aimed at the discovery of vulnerable systems to brute-force credentials, exfiltrate emails, and send out spam.

Advertisement. Scroll to continue reading.

Between August and November 2019, the group targeted armed forces, defense companies, governments, law firms, political parties, and universities, as well as private schools in France and the United Kingdom, and a kindergarten in Germany.

Between November and December 2019, the attackers used the same IP address to host websites and scan for systems with exposed 445 and 1433 ports, likely in an attempt to find vulnerable servers running Microsoft SQL Server and Directory Services.

Between 2017 and 2019, Pawn Storm launched multiple credential phishing campaigns from their servers, including spam waves against webmail providers in the United States, Russia, and Iran, the security researchers note.

“The threat actor group has plenty of resources that allow them to run lengthy campaigns, determined in the pursuit of their targets. Their attacks, which range from compromising DNS settings and tabnabbing to creating watering holes and taking advantage of zero-days, have been nothing short of sophisticated. And as evidenced by their recent activities, we expect even more direct attacks against webmail and cloud services that don’t rely on malware,” Trend Micro concludes.

Related: Phishing Campaign Targeting Ukrainian Firm Burisma Linked to Russian Cyberspies

Related: Microsoft Says Russian Hackers Targeted Democratic Institutions in Europe

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...