Pawn Storm is an active and aggressive espionage actor group that has been operating since 2004. The group uses different methods and strategies to gain information from their targets, which are covered in our latest research. However, they are particularly known for dangerous credential phishing campaigns. In 2016, the group set up aggressive credential phishing…Read More
The effectiveness of a zero-day quickly deteriorates as an attack tool after it gets discovered and patched by the affected software vendors. Within the time between the discovery of the vulnerability and the release of the fix, a bad actor might try to get the most out of his previously valuable attack assets. This is exactly what we saw in late October and early November 2016, when the espionage group Pawn Storm (also known as Fancy Bear, APT28, Sofacy, and STRONTIUM) ramped up its spear-phishing campaigns against various governments and embassies around the world. In these campaigns, Pawn Storm used a previously unknown zero-day in Adobe’s Flash (CVE-2016-7855, fixed on October 26, 2016 with an emergency update) in combination with a privilege escalation in Microsoft’s Windows Operating System (CVE-2016-7255) that was fixed on November 8, 2016.Read More
April last year, Pawn Storm reportedly compromised computers of the German Bundestag using data-stealing malware. This was the first documented political attack of Pawn Storm against Germany. One year later, this espionage actor group takes a swing once again.
In April 2016, we discovered that Pawn Storm started a new attack against the German Christian Democratic Union (CDU), the political party of the Chancellor of Germany, Angela Merkel.
The attack consisted of seemingly coordinated credential phishing attacks against the CDU and high profile users of two German freemail providers. A fake corporate webmail server of CDU was set up in Latvia for advanced credential phishing. Around the same time, three domains were created for credential phishing targeting high-profile individual users of two German free webmail providers. The main fake webmail server of CDU was set up in Latvia, but the free webmail credential phishing sites are on servers of the Virtual Private Server provider in the Netherlands we have discussed previously.Read More
A small webhosting provider with servers in the Netherlands and Romania has been a hotbed of targeted attacks and advanced persistent threats (APT) since early 2015. Starting from May 2015 till today we counted over 100 serious APT incidents that originated from servers of this small provider. Pawn Storm used the servers for at least 80 high profile attacks against various governments in the US, Europe, Asia, and the Middle East. Formally the Virtual Private Server (VPS) hosting company is registered in Dubai, United Arab Emirates (UAE). But from public postings on the Internet, it is apparent that the owner doesn’t really care about laws in UAE. In fact, Pawn Storm and another APT group, attacked the government of UAE using servers of the VPS provider through highly targeted credential phishing. Other threat actors like DustySky (also known as the Gaza hackers) are also regularly using the VPS provider to host their Command and Control (C&C) servers and to send spear phishing e-mails.Read More