• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Bad Sites   »   Pawn Storm’s Domestic Spying Campaign Revealed; Ukraine and US Top Global Targets

Pawn Storm’s Domestic Spying Campaign Revealed; Ukraine and US Top Global Targets

  • Posted on:August 18, 2015 at 6:51 am
  • Posted in:Bad Sites, Targeted Attacks
  • Author:
    Feike Hacquebord (Senior Threat Researcher)
0

Why would Pawn Storm, the long-running cyber-espionage campaign, set its sights on a Russian punk rock group? Sure, Pussy Riot is controversial. Members of the feminist band had previously been thrown in jail for their subversive statements against the Orthodox Church and Russian patriarchal system. But why would attackers have any interest in them? What is their connection to other targets?

Earlier this year, we reported that the operators behind Pawn Storm had gone after members of the North Atlantic Treaty Organization (NATO), the White House, and the German parliament. Previously, they focused on various embassies and military attachés stationed across several countries. Pawn Storm’s targets have mostly been external political entities outside of Russia, but after our analysis we found that a great deal of targets can actually be found within the country’s borders.

Domestic spying in Russia

The Russian spies behind Pawn Storm apparently do not discriminate. They even monitor their fellow citizens. Credential phishing attacks directed towards Russian nationals builds a case for domestic spying. Figure 1 shows a closer breakdown of their targets per industry.

Figure 1. Primary industry/sector targets in Russia

Many peace activists, bloggers, and politicians got targeted in Russia. Some of the more noteworthy targets per industry are as follows:

Politicians A former Russian prime minister, and a prominent member of United Russia
Artists Two members of Pussy Riot and a popular Russian rock star
Media Journalists from slon.ru, The New Times, TV Rain, Novaya Gazeta, Jailed Russia, other media outlets that criticize the current Russian regime, and the Apostol Media Group
Software developers A CEO of a Russian company developing encryption software, and a mail.ru developer

Looking at the list, it’s easy to conclude that the people behind this campaign are keeping tabs on potential dissidents of the current Russian regime. Pussy Riot’s criticism of the government does make them a logical target if this were the case. But the inclusion of software developers, as well the Apostol Media Group, which has ties to Russian government, is interesting. The fact that at least one active Russian military attaché in a NATO country got targeted by Pawn Storm makes the spies’ motivations even more intriguing.

The Ukraine and US connection

In Figure 2, we see the top 10 target countries of Pawn Storm. Ukraine has the lion’s share. With 25%, it surpasses Russia and the US. The three countries currently have a volatile relationship thanks to clashing political interests.

Figure 2. Breakdown of Top 10 targets by country

The military, media, government, and political figures in Ukraine were all targeted almost equally, with those four categories accounting for approximately two-thirds of all targets in the country:

Figure 3. Primary industry/sector targets in Ukraine

As for the US, the primary targets are defense companies and the military (Air Force, Navy, and Army). Think tanks and academia are targets too. Pawn Storm also has a particular interest in oil researchers and nuclear energy.

Figure 4. Primary industry/sector targets in the US

These attempted compromises were part of a larger campaign of tens of thousands of individual credential phishing attacks against high-profile users of a multitude of webmail providers like Gmail, Yahoo, Hushmail, Outlook, and other providers in Ukraine, Iran, Norway, and even China.

The United Kingdom is a big target for Pawn Storm, but the majority of attacks are attempts to compromise Eastern Europeans who reside in Britain.

A case of credential phishing

The way the attacks are carried out varies. Some campaigns used malware and vulnerabilities. Pawn Storm used at least six zero-days, including the critical CVE-2015-2590 Java vulnerability. A prominent modus operandi is advanced credential phishing. We were able to collect data on more than 12,000 individual credential phishing attacks in 2014 and 2015, making it possible for us to derive reliable statistics on Pawn Storm targets worldwide.

To illustrate one of the credential phishing attacks Pawn Storm sends to its targets, we will focus on a particular attack on high-profile Yahoo users in early July 2015.


Figure 5. Targeted Yahoo credential phishing e-mail

This phishing attack tried to lure selected Yahoo users to give Pawn Storm full access to their mailboxes using OAuth—an open standard authentication protocol that Yahoo offers to app developers. Pawn Storm sent out phishing e-mails that offered a “Mail Delivery Service” for guaranteed delivery of e-mails. In reality, this service was built to allow attackers behind Pawn Storm to access their target’s accounts through OAuth. When Yahoo users would opt in, Pawn Storm would get unfettered access to the mailbox.

The problem here is that the phishing links point to a legitimate Yahoo website of OAuth. Since this is the case, recipients of the phishing e-mails may think the phishing URL is harmless.

pawn-storm-targets5

Figure 6. Phishing site at Yahoo.com where Pawn Storm’s targets are lured into giving permission to full mailbox access

Although we cannot say for sure what these spies’ intentions are, given the variety of this campaign’s targets, it looks like they are amassing a huge database of information, perhaps keeping tabs on possible threats to Russia. We are continually monitoring the campaign and its developments.

This is the latest entry in a series of blog posts we have done on Operation Pawn Storm:

  • Analyzing the Pawn Storm Java Zero-Day – Old Techniques Reused
  • Pawn Storm C&C Redirects to Trend Micro IP Address
  • An In-Depth Look at How Pawn Storm’s Java Zero-Day Was Used
  • Oracle Patches Java Zero-Day Used in Operation Pawn Storm
  • Pawn Storm Update: Trend Micro Discovers New Java Zero-Day Exploit
  • Operation Pawn Storm Ramps Up its Activities; Targets NATO, White House
  • Pawn Storm Update: iOS Espionage App Found

Pawn Storm is also mentioned in our 2Q Security Roundup, A Rising Tide: New Hacks Threaten Public Technologies.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: cyberespionagePawn StormphishingRussiaukraine

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.