In the fall of 2014, Trend Micro researchers first announced their findings pertaining to Operation Pawn Storm, a cyber-espionage campaign. At the time, the group behind the attacks were targeting government and military organizations, using spear phishing and other strategies to lure and infect victims. Now, it seems the operation is changing its approach and has begun utilizing spyware in Apple iOS devices to glean information from officials.
Operation Pawn Storm: Phishing attacks
According to SecurityWeek contributor Brian Prince, researchers discovered that the group responsible for the Operation Pawn Storm attacks had been working to attack global organizations since 2007. One of its first large-scale attacks as part of the campaign didn’t come until the summer of 2014, however, when the group was able to infect Polish government websites. The group followed up with an attack on the website belonging to the Power Exchange in Poland, which was compromised in September 2014.
At the time, the group utilized very specific spear phishing email messages to target certain victims. During one attack, an email was only sent to three employees of a firm that the malicious actors sought to compromise. While many infections took place in this manner, researchers found that hackers would vary their approaches with the phishing emails in order to increase their chances of a successful attack.
“The cybercriminals behind Operation Pawn Storm are using several different attack scenarios: spear phishing emails with malicious Microsoft Office documents lead to SEDNIT/Sofacy malware, and phishing emails that redirect victims to fake Outlook Web Access login pages,” noted Jim Gogolinski, Trend Micro senior threats researcher.
This approach also earned the group its Pawn Storm moniker.
“The actors of Pawn Storm tend to first move a lot of pawns in the hopes [that] they come close to their actual, high profile targets,” Trend Micro noted in a blog post. “When they finally successfully infect a high profile target, they might decide to move their next pawn forward: advanced espionage malware.”
Gogolinski added that the malware being used in many instances – dubbed SEDNIT – illustrated that the attackers knew what they were doing. This sophisticated sample was specifically created to breach advanced security systems and maintain an invisible presence on the network in order to gather as much data as possible. Because the targets in the attacks were military and government organizations, the information being stolen was highly sensitive and likely had a number of protections in place. However, the phishing emails encouraged victim recipients to let their guard down, allowing black hats to make their move.
“Apart from effective phishing tactics, the threat actors used a combination of proven targeted attack staples to compromise systems and get into target networks – exploits and data-stealing malware,” stated Trend Micro’s report on Operation Pawn Storm. “SEDNIT variants particularly proved useful, as these allowed the threat actors to steal all manners of sensitive information from the victims’ computers while effectively evading detection.”
Operation Pawn Storm evolves: iOS app discovered
Even after the phishing-based attacks were uncovered, the malicious group behind Operation Pawn Storm didn’t cease their efforts. In early February 2015, Trend Micro researchers discovered spyware created specifically for iOS devices being utilized as part of targeted attacks.
Researchers believe the iOS sample is used to attack devices that have been previously compromised, and is considerably similar to the SEDNIT samples utilized in conjunction with the phishing emails. Trend Micro discovered two iOS-based malware strains, including one dubbed XAgent and another called MadCap, which is also the name of a legitimate iOS gaming application.
“The obvious goal of the SEDNIT-related spyware is to steal personal data, record audio. make screenshots, and send them to a remove command-and-control server,” Trend Micro stated.
The discovery of these malicious samples illustrates that the threat actors involved in Operation Pawn Storm are now widening their attack sphere, infecting an increasing number of targets through the mobile device malware as compared to the more pinpointed phishing emails.
Possible ties to Russia
According to International Business Times contributor Jeff Stone, this malware could connect Operation Pawn Storm to the Russian government. Although Trend Micro researchers did not mention Russia in its announcements, other researchers have concluded that due to the level of sophistication of the malware being leveraged in the attacks, chances are good that it came from Russian cybercriminals.
Stone noted that the malware initially appeared after Russia annexed Crimea. This act raised eyebrows in a number of other nations, and caused the U.S. to issue sanctions mainly impacting the Russian economy.
Despite these loose ties to the Russian government, concrete evidence that connects Operation Pawn Storm to the nation has yet to be discovered. Researchers are still investigating, but military and government organizations, particularly those with iOS mobile device users, should ensure that their network- and device-level security systems are kept up to date. In addition, any emails with suspicious attachments should be avoided.