View Two Years of Pawn Storm: Examining an Increasingly Relevant Threat
Pawn Storm—also known as Sednit, Fancy Bear, APT28, Sofacy, and STRONTIUM—is an active cyber espionage organization that has been very aggressive and ambitious in recent years. Pawn Storm’s activities show that foreign and domestic espionage and influence on geopolitics are the group’s main motives, with targets that include armed forces, the defense industry, news media, and politicians.
The group has been operating for years; in fact, Trend Micro first took note of their activities way back in 2004. But Pawn Storm has become increasingly relevant over the past two years, particularly because the group has been found to be doing more than espionage alone. In 2016, Pawn Storm attempted to influence public opinion, influence elections, and attempted to sway the mainstream media with stolen data. Earlier, Pawn Storm may seem to have limited their activities to political, military, and domestic espionage. Today the impact can be felt by various industries and enterprises operating throughout the world. Even the average citizen might be impacted as Pawn Storm tries to manipulate people’s opinions about domestic and international affairs. The group's operations and methods might also serve as an example for other actors, who may copy tactics and repurpose them to fit their own objectives.
Recent activities and their impact
In 2016, the group not only attacked the Democratic National Convention (DNC), but also targeted the German political party Christian Democratic Union (CDU), the Turkish parliament, the parliament in Montenegro, and the World Doping Agency (WADA). Stolen data from DNC and WADA were released in parts (altered or unaltered) and precisely timed to harm the targets. In some other related instances, information was leaked more than a year after it was stolen.
Media sources have confirmed that the group approached them directly or indirectly and offered them “exclusive” information. Some mainstream media decided to work with the actors; they took the stolen data and published articles based on the data. This shows that Pawn Storm—also well-known for their attempts to compromise various media organizations and journalists—has had some success with getting mainstream media to publish articles that might help their objectives.
This paper takes a look at Pawn Storm's operations within the last two years. We have compiled data on targets and campaigns conducted by the group, as well as details on the specific attacks used to compromise victims. Later sections cover the operational side of the group, from their facilitators to their attitude about organizational security. The paper also provides some guidelines on how to defend against this increasingly relevant threat, as well as solutions that can protect organizations from Pawn Storm's tactics.
Erratum: In page 14 of the attached PDF, the phishing domains mail.hm.gov.hu and mail.mod.gov.es listed in table 2 were incorrect. The document has been updated with the correct domains (mail.hm.qov.hu, mail.mod.qov.es).
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).