Operation Pawn Storm: How to Spot and Block APTs

by Ross Dyer

Most recently, our dedicated team of threat researches at TrendLabs  uncovered a sophisticated and ongoing cyber espionage campaign known as Operation Pawn Storm targeting military, embassies, defence contractors and media organizations in the US and its allied countries. Let’s dig a bit deeper.

A closer look
Unusually for an APT-style attack like this, the group behind Operation Pawn Storm used three main techniques to infiltrate victim networks:

  • Spearphishing emails with malicious Word documents designed to download SEDNIT/Sofacy information-stealing malware
  • Exploits injected into legitimate sites so when machines with very specific criteria (related to OS, language settings, time zone, and installed software) visited it led them to the same SEDNIT malware.
  • Phishing emails that redirected targets to fake Outlook Web Access pages where details could be harvested and mailboxes compromised.

Highly targeted, highly dangerous
Operation Pawn Storm is a great example of just how targeted some attacks can be today. In one case a spearphishing email was sent to just three employees of a billion dollar multinational, even though those emails were not publicly available.

Moreover, the campaign has been ongoing since 2007 – highlighting the persistent nature of such attacks. SEDNIT malware, meanwhile, allowed large volumes of sensitive data to be exfiltrated covertly from victim PCs in a manner that made attack attribution very difficult.

How can I protect myself?
In the face of a clearly well resourced, highly motivated and sophisticated attack group, it can seem a daunting task knowing how to best defend your organization. But it’s not impossible.

In today’s threat environment, targeted attacks – while not all as sophisticated as this one – are growing in volume all the time. It pays, therefore, to assume you have already been breached and focus efforts away from trying to stop everything at the perimeter and towards gaining greater visibility into unusual network activity. This could provide the vital clue you need to spot an incursion and lock it down before it has a chance to do much damage.

Trend Micro Deep Discovery has been engineered with precisely this in mind. Our APT-hunter tool provides:

  • 360 degree monitoring of network traffic
  • Sandboxing and analysis of suspicious attachments to block phishing emails via Email Inspector
  • Monitoring of all ports and 80+ protocols
  • Specialised detection engines and custom sandboxing to spot malware, C&C comms and evasive attacker activities




Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.