The Russia-linked cyber-espionage group known as Pawn Storm has been leveraging hijacked email accounts to send phishing emails to potential victims, Trend Micro’s security researchers reveal.
Active since at least 2004, the group is also referred to as APT28, Sednit, Fancy Bear, and Strontium, and is believed to be sponsored by Russia’s GRU intelligence agency. The adversary is believed to have orchestrated attacks on Ukraine, NATO countries, and the DNC ahead of the 2016 elections in the United States.
For years, Pawn Storm has relied on phishing to gain access to systems of interest, but Trend Micro observed a shift in tactics, techniques, and procedures (TTPs) in May 2019, when the group started using the compromised email accounts of high-profile targets to send credential phishing emails.
The scheme was used both in 2019 and 2020, with email accounts belonging to defense companies in the Middle East being abused the most. Other victims were observed in the transportation, utilities, and government sectors.
“The reason for the shift to the use of compromised email accounts of (mostly) defense companies in the Middle East is unclear. Pawn Storm could be attempting to evade spam filtering at the cost of making some of their successful compromises known to security companies. However, we did not notice a significant change in successful inbox deliveries of the group’s spam campaigns, making it difficult to understand the rationale behind the change in methodology,” Trend Micro notes in a new report (PDF).
Last year, the group also engaged in the probing of email servers and Microsoft Exchange Autodiscover servers worldwide, mainly targeting TCP port 443, IMAP ports 143 and 993, POP3 ports 110 and 995, and SMTP ports 465 and 587.
These attacks might have been aimed at the discovery of vulnerable systems to brute-force credentials, exfiltrate emails, and send out spam.
Between August and November 2019, the group targeted armed forces, defense companies, governments, law firms, political parties, and universities, as well as private schools in France and the United Kingdom, and a kindergarten in Germany.
Between November and December 2019, the attackers used the same IP address to host websites and scan for systems with exposed 445 and 1433 ports, likely in an attempt to find vulnerable servers running Microsoft SQL Server and Directory Services.
Between 2017 and 2019, Pawn Storm launched multiple credential phishing campaigns from their servers, including spam waves against webmail providers in the United States, Russia, and Iran, the security researchers note.
“The threat actor group has plenty of resources that allow them to run lengthy campaigns, determined in the pursuit of their targets. Their attacks, which range from compromising DNS settings and tabnabbing to creating watering holes and taking advantage of zero-days, have been nothing short of sophisticated. And as evidenced by their recent activities, we expect even more direct attacks against webmail and cloud services that don’t rely on malware,” Trend Micro concludes.
Related: Phishing Campaign Targeting Ukrainian Firm Burisma Linked to Russian Cyberspies
Related: Microsoft Says Russian Hackers Targeted Democratic Institutions in Europe