‘Pawn Storm’ APT Campaign Rolls On With Attacks in Germany, Turkey

Offices of German chancellor Angela Merkel among those targeted in recent attacks, Trend Micro says.

The shadowy group behind Operation Pawn Storm, a sophisticated cyber espionage campaign that has been active since at least 2004, appears to have no plans to let up any time soon.

The latest evidence that the group is still alive and operating is an attack last month targeting German chancellor Angela Merkel’s Christian Democratic Union (CDU) party website.

Security vendor Trend Micro Labs, which discovered the attacks, this week described them as comprised of seemingly simultaneous attacks targeted at the corporate and personal email accounts of CDU members.

As part of the campaign, the threat actors set up a fake webmail server in Latvia designed to look like the CDU’s main webmail server in an apparent attempt to steal the email credentials of party members.  The attackers also set up three separate phishing domains to try and grab the personal email credentials of targeted and high profile users of two German free email service providers.

The attacks were consistent with the Pawn Storm group’s habit of targeting both official and personal email accounts of targets at the same time, Trend Micro’s senior researcher Feike Hacquebord wrote in an post on the company’s blog this week.  “The attackers build a fake version of the corporate webmail server of the targeted organization and at the same attack key members of the organization on their private free webmail accounts,” Hacquebord said.

The operators of the Pawn Storm campaign have used such credential phishing tactics very successfully in the past, the researcher noted. “We have witnessed Pawn Storm downloading complete online e-mail boxes and securing future access by [for example] setting up forwarding e-mail addresses secretly.”

The attacks on members of the CDU follow a similar Pawn Storm campaign targeting the office of the Turkish prime minister and members of the country’s parliament in March this year. Hurriyet, one of Turkey’s largest newspapers, and the offices of the Directorate General of Press and Information in Turkey were also targeted in the campaign, Trend Micro said.

One of the attacks in Turkey involved the use of what Trend Micro said was a series of spoofed Outlook Web Access servers to try and steal email credentials of users of the targeted organization. “Phishing attacks against OWA users are relatively inexpensive for the attackers, but can be highly effective to steal sensitive information,” Hacquebord had noted at the time.

To launch the attacks against the Turkish government and members of the press, the Pawn Storm group took advantage of a virtual private server provider with servers in the Netherlands but a postal address in the United Arab Emirates. The same infrastructure appears to have been used in the attacks against German targets last month.

As with many of Pawn Storm’s attacks over the years, the profiles of the victims in the Turkish cyber attacks suggested that the campaign was directed at people perceived to be a threat to Russian politics, Hacquebord had noted.

Since launching in 2004, Operation Pawn Storm has proven to be one of the most far-reaching cyber espionage campaigns with political and economic motives, ever conducted. The group’s many victims over the years have included government and military and defense contractor organizations, including those in the United States and allied countries.

Groups perceived as being unfriendly to Russian government interests, including dissidents and Russian citizens and Ukrainian media members and politicians have been frequent targets suggesting that Pawn Storm is a nation-state backed operation probably based out of Russia.

It’s typical modus operandi when attacking a target organization or individual has been to use spear-phishing email to try and install credential stealing and information stealing malware on a target’s computers. One malware sample the group has favored recently to install backdoors and steal data is SEDNIT, Trend Micro had noted in a blog earlier this year.

In addition to the phishing emails, the group also has shown a penchant for creating fake OWA login pages for stealing email credentials. In addition, the group has developed exploits for several vulnerabilities including some in iOS that enable attackers to steal data, including messages, contact lists and voice mails from infected mobile devices.

Related stories:

                                             

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

More Insights