April last year, Pawn Storm reportedly compromised computers of the German Bundestag using data-stealing malware. This was the first documented political attack of Pawn Storm against Germany. One year later, this espionage actor group takes a swing once again.
In April 2016, we discovered that Pawn Storm started a new attack against the German Christian Democratic Union (CDU), the political party of the Chancellor of Germany, Angela Merkel.
The attack consisted of seemingly coordinated credential phishing attacks against the CDU and high profile users of two German freemail providers. A fake corporate webmail server of CDU was set up in Latvia for advanced credential phishing. Around the same time, three domains were created for credential phishing targeting high-profile individual users of two German free webmail providers. The main fake webmail server of CDU was set up in Latvia, but the free webmail credential phishing sites are on servers of the Virtual Private Server provider in the Netherlands we have discussed previously.
Pawn Storm attackers often conduct sophisticated, simultaneous attacks against targets’ corporate and personal email accounts. The attackers build a fake version of the corporate webmail server of the targeted organization and at the same attack key members of the organization on their private free webmail accounts. Credential phishing is an important espionage tool: we have witnessed Pawn Storm downloading complete online e-mail boxes and securing future access by e.g. setting up a forwarding e-mail addresses secretly.
It is a recurring theme in recent Pawn Storm attacks; organizations get hit from different angles simultaneously. We have seen that happening time and time again against various governments, armed forces, defense companies and media.
Prior to this attack, we reported on Pawn Storm attacking the Turkish government from various angles last March 2016. These attacks further confirm our theories as to the identities of the attackers. Pawn Storm clearly targets groups that could be perceived as a risk to Russian politics and interests.
Even though Pawn Storm is one of the oldest active espionage threat actors (we can trace activity back to 2004), it still remains very active, attacking many targets worldwide simultaneously at a high rate both with credential phishing and malware. Monitoring it’s recent activity, we have counted over a dozen live X-Agent Command and Control servers. X-Agent is second stage malware of Pawn Storm that will only be used against high-value targets that are of particular interest. This is another strong indication how active Pawn Storm is.
The following are the domains mentioned in the article:
- account-web[.]de
- account-gmx[.]de
- account-gmx[.]net
