Pawn Storm, the long-running cyber espionage campaign, added to its long list of targets several government offices (including the office of the prime minister and the Turkish parliament) and one of the largest newspapers in Turkey. Pawn Storm has been known to attack a diverse list of targets–including armed forces, diplomats, journalists, political dissidents, and software developers.
Many of these targets share a common trait: that they could be perceived as a threat to Russian politics in some way or form. We believe that these attacks against Turkey were related to previous Pawn Storm-related incidents in summer and fall 2015, which targeted Syrian opposition and about all of the Arab countries that voiced criticism about Russia’s interventions in Syria.
Trend Micro was able to provide early warning to the Turkish authorities about the attacks, and it helped mitigate the potential damage that these attacks could have done had they gone unnoticed.
Pawn Storm has repeatedly shown interest in getting information from countries of political/geopolitical interest. By those standards, there are many reasons why attackers would choose to target Turkey. These include:
- Disagreements with Russia over various issues, including the shootdown of a Russian jet in November 2015 by the Turkish Air Force
- The flow of refugees attempting to enter Europe via Turkey
While these events may not be directly tied to Pawn Storm, they do make geopolitical information related to Turkey far more valuable to a nation-state threat actor. It’s no surprise, then that Pawn Storm would add Turkey to its list of targets.
In one example, we saw a series of fake Outlook Web Access (OWA) servers set up for specific targets in that country. Phishing attacks against OWA users are relatively inexpensive for the attackers, but can be highly effective to steal sensitive information. In previous blog posts we have shown that Pawn Storm has used advanced social engineering to trick victims into giving away their webmail credentials.
We list the targets below, along with the dates of when these OWA servers were spotted:
- The Directorate General of Press and Information of the Turkish government (January 14, and February 2, 2016)
- The Türkiye Büyük Millet Meclisi (The Grand National Assembly of Turkey) (February 3, 19, and 26, 2016)
- Turkish newspaper Hürriyet (February 17, 24, and 29, 2016)
- Başbakanlık, the office of the prime minster of Turkey (February 29, 2016)
The target list above shows that Pawn Storm may be after political information from Turkey: even the Turkish parliament got attacked. The fact they have set up at least two fake OWA servers for one of the largest Turkish newspapers may also be considered as further proof that they are also after information on what is going on in major media outlets in that country.
In its assault against Turkey, Pawn Storm makes use of network infrastructure based in the Netherlands. They seem to have found a cozy home at a VPS provider with a postal address in the United Arab Emirates and servers in a datacenter in the Netherlands. This isn’t the first time Pawn Storm has used this particular VPS provider. Dozens of attacks of Pawn Storm in 2015 and 2016 have been made using the service the said VPS provide, along with those by other threat actor groups such as DustySky and Carbanak. This provider has also been used by actors who targeted users of one of the largest Russian banks. This makes them look like a bulletproof hosting service in the Netherlands.
Additional information about Pawn Storm can be found here: