A small webhosting provider with servers in the Netherlands and Romania has been a hotbed of targeted attacks and advanced persistent threats (APT) since early 2015. Starting from May 2015 till today we counted over 100 serious APT incidents that originated from servers of this small provider. Pawn Storm used the servers for at least 80 high profile attacks against various governments in the US, Europe, Asia, and the Middle East. Formally the Virtual Private Server (VPS) hosting company is registered in Dubai, United Arab Emirates (UAE). But from public postings on the Internet, it is apparent that the owner doesn’t really care about laws in UAE. In fact, Pawn Storm and another APT group, attacked the government of UAE using servers of the VPS provider through highly targeted credential phishing. Other threat actors like DustySky (also known as the Gaza hackers) are also regularly using the VPS provider to host their Command and Control (C&C) servers and to send spear phishing e-mails.Read More
Whenever people think of APTs and targeted attacks, people ask: who did it? What did they want? While those questions may well be of some interest, we think it is much more important to ask: what information about the attacker can help organizations protect themselves better?
Let’s look at things from the perspective of a network administrator trying to defend their organization. If someone wants to determine who was behind an attack on their organization, maybe the first thing they’ll do use IP address locations to try and determine the location of an attacker. However, say an attack was traced to a web server in Korea. What’s not to say that whoever was responsible for the attack also compromised that server? What makes you think that site’s owner will cooperate with your investigation?Read More
A few weeks ago I appeared on the RedZone podcast hosted by Bill Murphy, where I talked about (among other topics) the differences between targeted attacks and what our competitors called Advanced Persistent Threats (APTs). This is a topic that I’ve frequently talked about in the past, and I get asked about it a lot in…Read More
One of the ways that malware activity on a network is spotted is via the activity of their network activity. However, in many cases this can be difficult to detect: there have been incidents where command-and-control (C&C) servers were able to stay online and pose a problem for many years. This particular group of threat…Read More
Dr. Thamar E. Gindin didn’t know exactly why she was being targeted. She only knew that her attackers were persistent. An expert lecturer on linguistics and pre-Islamic Iranian culture, she had apparently uttered political statements that had piqued the people behind Rocket Kitten—a known attack group notorious for snooping on select high-profile individuals in the…Read More