Blog by Ross Dyer, Technical Director at Trend Micro
Thought you’d seen the last of prolific hacking group Pawn Storm? Think again. Just-published research from Trend Micro reveals fascinating new insights into one of the world’s longest-running cyber espionage groups. As politicians in the US continue to argue over the impact of its audacious campaign against Democratic Party officials last year, Pawn Storm is at it again, attempting to influence public option ahead of major elections in France and Germany.
We’ve discovered multiple phishing domains set up by the group explicitly to target French presidential front-runner Emmanuel Macron and German political organisations allied to two main parties there.
Our report, Two Years of Pawn Storm, reveals a highly organised and sophisticated group whose tactics should make essential reading for any IT security professional looking to improve their organisation’s defences.
A brief history of Pawn Storm
Pawn Storm – also known as Sednit5 , Fancy Bear, APT286 7, Sofacy, and STRONTIUM8 – dates back as far as 2004. So prolific has it been that Trend Micro has released more than a dozen detailed posts on the group since 2014. Although attribution is always difficult, we can certainly say that its targets broadly align with Russia’s interests. They include the anti-doping agency WADA, NATO, the US military, and Ukrainian activists, government and military.
Most recently, however, the group has begun an apparently new campaign designed to use its espionage capabilities to influence public opinion. We saw it most clearly with the hacking of Democratic National Convention (DNC) and Democratic Congressional Campaign Committee (DCC) officials ahead of the US election, which was eventually won by Donald Trump, the preferred candidate of Vladimir Putin. In that campaign and others it has sought to hide behind fake “hacktivist” profiles such as Guccifer 2.0 to publicise stolen information via the mainstream media and sites such as WikiLeaks.
How do we know it’s them? By closely monitoring C&C server activity, phishing emails and malware samples linked to the group, which we found on its servers as opposed to open source platforms like VirusTotal.
Thousands of targets
Be in no doubt: this is a well-resourced and highly aggressive group, which maintains a running list of thousands of targets. We’ve seen them run as many as 50 phishing campaigns over a nine-month period.
Interestingly, one of the key methods of infiltrating and collecting info from a target is relatively common: credential phishing from webmail accounts such as Google and Yahoo. Yet even here it has taken the art of phishing to the next level, sending emails in flawless English, evading spam filters with ease and even spoofing a secure connection to allay user fears. Once they have access to a user’s email account, Pawn Storm operatives have been known to exfiltrate data for over a year. That data could be leaked to influence public opinion, as in the US, conduct domestic espionage on citizens, or the operatives could try to get further inside a target network via the initial beachhead of a compromised email account.
Other tactics Trend Micro spotted include:
- Spear phishing, using a high-profile news event as the lure
- Tabnabbing as part of credential phishing: redirecting users from a legitimate a URL in an open tab of a browser to a phishing site
- DNS switching: compromising corporate email servers and changing the settings to point to a foreign server
- Watering-hole attacks
- Second stage C&C servers: not all phishing targets will be infected. First, Pawn Storm gathers info including IP address, time zone, browser plug-ins etc before deciding whether to infect the target with first-stage malware for reconnaissance. A small number of high value targets will then be selected for second-stage infection by malware such as X-Agent
It remains to be seen whether Pawn Storm hackers have managed to obtain any damaging material on Emmanuel Macron, or Germany political organisations Konrad Adenauer Stiftung (associated with the CDU) and Friedrich Ebert Stiftung (associated with the SPD).
How to fight back
With an enemy as aggressive and persistent as Pawn Storm IT security bosses really have their work cut out. But fortifying systems is not impossible. Consider the following:
- Reduce attack surface by air-gapping systems
- Mandate corporate VPN for remote workers
- Minimise number of domain names you maintain, and centralise email servers
- Ensure your registrar allows for two-factor authentication (2FA) of your DNS admin account
- Enforce 2FA for all corporate webmail, or even better, physical access keys
- Educate employees about securing webmail and ensure they don’t use these accounts for work
- Pen test your network regularly
- Keep all software up to date and patched
To find out more on Pawn Storm tools, techniques and procedures, and for more tips on how best to mitigate the risk of attack, check out Trend Micro’s new report: Two Years of Pawn Storm.