Operation Pawn Storm allegedly run by hackers backed by the Russian Government still advancing their infrastructure a great deal, the group is believed to using advanced tactics to hit the targets.
Trend Micro revealed that the group have introduced all new infrastructure and is “Zeroing in” onto the targets that include NATO (North Atlantic Treaty Organization) members. The group behind Operation Pawn is allegedly linked to government of Russia, and has been operating since 2007. The main targets of this hacking group include defence industry, military, government organizations and the media firms.
Feike Hacquebord, Trend Micro’s senior threat researcher blogged, “The first quarter of 2015 has seen a great deal of activity from the group”. He further added, “Most notably this involved setting up dozens of exploit URLs and a dozen new command-and-control (C&C) servers targeting NATO members and governments in Europe, Asia and the Middle East.”
The group makes use of three different types of strategies to launch the attack on targets. One among those three is, spear-phishing where emails having malicious MS office docs laced alongside the Sofacy/SEDNIT malware
are sent to the target. Another strategy being used works as sending phishing emails out that redirects users to the fake OWA (Microsoft Outlook Web Access) login pages. Third way with which they attack on target is, infecting Polish government legitimate sites which then leads victims to aforementioned malware.
Feike Hacquebord stated in his blog post that, “In a slightly different modus operandi from the usual, we observed Pawn Storm attackers sending out specially-crafted emails designed to trick users into clicking on a malicious link,”. Adding things further to it, a paragraph from him blog post reads as,
“In one case, the subject of the spam e-mail is the Southern Gas Corridor that the European Union initiated to become less dependent on Russian Gas. Other e-mails have similar geopolitical subjects, for example the Russian-Ukrainian conflict and the Open Skies Consultative Commission of the OSCE.”
“When certain criteria are met the fake news site may respond with a message that an HTML5 plugin has to be installed to view the contents of the site,” he wrote. “The add-on in question turns out to be a version of X-Agent or Fysbis spyware if you’re a Linux user, and Sednit if you’re running Windows.”
Some reports even state that, White House is one of the organizations that got attacked by the group. On Jan 26, attackers also targeted three very popular Youtube Bloggers making use of phishing attacks on Gmail – states the report being issued by Trend Micro.
Feike Hacquebord also blogged, “This is a classic island hopping technique, in which attackers focus their efforts not on the actual target but on companies or people that might interact with that target, but which may have weaker security in place”. The Trend Micro researcher added further, “In a similar way, a well-known military correspondent for a large US newspaper was hit via his personal email address in December 2014, probably leaking his credentials. Later that month Operation Pawn Storm attacked around 55 employees of the same newspaper on their corporate accounts.”
The group also targeted iOS based devices to infect users with their malware, just recently!
Feike Hacquebord added, “Organizations must remain on high alert for these kinds of attack, as Operation Pawn Storm hackers go to great lengths to make their emails appear legitimate,”
What Trend Micro suggested in their blog post is worth taking into serious consideration. It reads as, “Military and government bodies in the US, Europe and Asia especially must invest in the right advanced cyber security tools to block phishing and malware downloads, and improve user training and education to mitigate the risk of attack.”
Ali Qamar is an Internet security research enthusiast who enjoys “deep” research to dig out modern discoveries in the security industry. He is the founder and chief editor at Security Gladiators, an ultimate source for cyber security. To be frank and honest, Ali started working online as a freelancer and still shares the knowledge for a living. He is passionate about sharing the knowledge with people, and always try to give only the best. Follow Ali on Twitter @AliQammar57
(Security Affairs – Pawn Storm, state-sponsored hackers)