• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Bad Sites   »   Pawn Storm Campaign Adds Turkey To Its List of Targets

Pawn Storm Campaign Adds Turkey To Its List of Targets

  • Posted on:March 7, 2016 at 5:03 am
  • Posted in:Bad Sites, Targeted Attacks
  • Author:
    Feike Hacquebord (Senior Threat Researcher)
0

Pawn Stormpawnstorm, the long-running cyber espionage campaign, added to its long list of targets several government offices (including the office of the prime minister and the Turkish parliament) and one of the largest newspapers in Turkey. Pawn Storm has been known to attack a diverse list of targets–including armed forces, diplomats, journalists, political dissidents, and software developers.

Many of these targets share a common trait: that they could be perceived as a threat to Russian politics in some way or form. We believe that these attacks against Turkey were related to previous Pawn Storm-related incidents in summer and fall 2015, which targeted Syrian opposition and about all of the Arab countries that voiced criticism about Russia’s interventions in Syria.

Trend Micro was able to provide early warning to the Turkish authorities about the attacks, and it helped mitigate the potential damage that these attacks could have done had they gone unnoticed.

Pawn Storm has repeatedly shown interest in getting information from countries of political/geopolitical interest. By those standards, there are many reasons why attackers would choose to target Turkey. These include:

  • Disagreements with Russia over various issues, including the shootdown of a Russian jet in November 2015 by the Turkish Air Force
  • The flow of refugees attempting to enter Europe via Turkey

While these events may not be directly tied to Pawn Storm, they do make geopolitical information related to Turkey far more valuable to a nation-state threat actor. It’s no surprise, then that Pawn Storm would add Turkey to its list of targets.

In one example, we saw a series of fake Outlook Web Access (OWA) servers set up for specific targets in that country. Phishing attacks against OWA users are relatively inexpensive for the attackers, but can be highly effective to steal sensitive information. In previous blog posts we have shown that Pawn Storm has used advanced social engineering to trick victims into giving away their webmail credentials.

We list the targets below, along with the dates of when these OWA servers were spotted:

  • The Directorate General of Press and Information of the Turkish government (January 14, and February 2, 2016)
  • The Türkiye Büyük Millet Meclisi (The Grand National Assembly of Turkey) (February 3, 19, and 26, 2016)
  • Turkish newspaper Hürriyet (February 17, 24, and 29, 2016)
  • Başbakanlık, the office of the prime minster of Turkey (February 29, 2016)

The target list above shows that Pawn Storm may be after political information from Turkey: even the Turkish parliament got attacked. The fact they have set up at least two fake OWA servers for one of the largest Turkish newspapers may also be considered as further proof that they are also after information on what is going on in major media outlets in that country.

In its assault against Turkey, Pawn Storm makes use of network infrastructure based in the Netherlands. They seem to have found a cozy home at a VPS provider with a postal address in the United Arab Emirates and servers in a datacenter in the Netherlands. This isn’t the first time Pawn Storm has used this particular VPS provider. Dozens of attacks of Pawn Storm in 2015 and 2016 have been made using the service the said VPS provide, along with those by other threat actor groups such as DustySky and Carbanak. This provider has also been used by actors who targeted users of one of the largest Russian banks. This makes them look like a bulletproof hosting service in the Netherlands.

Additional information about Pawn Storm can be found here:

  • Operation Pawn Storm: Fast Facts and the Latest Developments
Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: OWAPawn StormphishingTargeted AttackVPS

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.