Tracking the continuous evolution of notorious APT group Pawn Storm

By Bharat Mistry

Trend Micro is dedicated to securing the connected world, and all of our customers across the globe. To help us in this task, we have a team of over 1,200 dedicated white hat researchers working round the clock to anticipate and investigate the latest emerging cyber-threats. Many of the groups responsible for these are criminal gangs. But increasingly they may also be state-backed hackers. Now this may sound like a far cry from the day-to-day mundanity of the average UK enterprise. But that’s not necessarily the case.  

Sophisticated Advanced Persistent Threat (APT) groups don’t always target big-name brands or military and critical infrastructure sectors. As our latest research into the infamous Pawn Storm group highlights, they’re even going after private schools, kindergartens and doctors.

A brief history of Pawn Storm
The activities of Pawn Storm can be traced back to 2004, although we have been tracking the group in earnest for the past six or so years. Also known by the monikers APT28, Sofacy, Sednit, Fancy Bear and Strontium, this is one of the world’s most notorious APT groups. Notable past victims include the German Christian Democratic Union (CDU) party, the world anti-doping agency (WADA), and the Democratic National Committee (DNC). Hillary Clinton has blamedsensitive emails lifted from the latter as helping Donald Trump to power. 

Make no mistake, Pawn Storm is one of the most sophisticated and well-resourced APT groups we’ve ever seen. And thanks to our tracking of its tools, tactics and procedures (TTPs), we’ve been able to detail a few new trends in 2019.

What’s new?
Specifically, we saw the group decide to use the email accounts of high-profile targets it had already compromised to send out credential phishing emails to other targets — mainly Middle East defence companies. It’s unclear why they did this, maybe to evade spam filters, and it doesn’t appear to have been particularly successful.

We also observed Pawn Storm scanning email servers and Microsoft Exchange Autodiscover servers across the globe, with a view to brute forcing admin credentials, exfiltratingemail data and using it to phish a new wave of targets. Interestingly, their targets for this campaign were not just the usual suspects of military and defence organisations, governments, law firms, political parties, and universities, but also more unusual ones such as private schools in France and the UK, and even a kindergarten in Germany.

This is testament to the fact that no organisation is safe from APT attacks today.

The good news is that the bad guys do make mistakes that we can use to better understand their methods and motivations. For example, we were able to track credential phishing campaigns against two US, one Russian and one Iranian webmail provider over a two-year period by analysing DNS Sender Policy Framework (SPF) request from the domains it used. Although the group assigned five domains to the servers used in this campaign, it didn’t register them, allowing Trend Micro researchers to sneak in and monitor activity.

Staying safe
We predict this particular threat group will be around for years to come. And it’s just one of many operating today. Here are some recommendations for insulating your organisation against these latest attacks. Even if it is not a Pawn Storm target, these are important best practices:

• Enforce the principle of least privilege, and disable any outdated or unused services
• Regularly patch/update OS and applications. Consider virtual patching for known and unknown vulnerabilities
• Regularly monitor your infrastructure with firewalls and intrusion detection and prevention systems 
• Deploy two-factor authentication for corporate email accounts, network access, and outsourced services 
• Educate employees about phishing techniques and common attack vectors, and prohibit the use of personal webmail and social media accounts for work purposes
• Regularly back-up data and encrypt stored sensitive information

For the full report, head here!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.