Operation Pawn Storm: Fast Facts and the Latest Developments

Operation Pawn Storm View Operation Pawn Storm Targets and Activities

Operation Pawn Storm is an ongoing cyber espionage campaign that’s as far-reaching as it is ambitious. It has been known to primarily target military, embassy, and defense contractor personnel from the United States and its allies, including government institutions such as the North Atlantic Treaty Organization (NATO). Opposing factions, dissidents of the Russian government, international media, and high-profile political personalities in Ukraine are targeted as well.

We published our findings about Operation Pawn Storm in October 2014, in a research paper titled “Operation Pawn Storm: Using Decoys to Evade Detection” and we’ve been tracking its movements and developments since then. 

What is Operation Pawn Storm?

Operation Pawn Storm is an active economic and political cyber-espionage operation that targets a wide range of high-profile entities, from government institutions to media personalities. Its activities were first seen as far back as 2004, but recent developments have revealed more concrete details about the operation itself, including its origins and targets.

What makes it different from other cyber espionage groups/operations?

Operation Pawn Storm is distinct from other politically-inclined threat actor groups because of its attack methods, which include the following:

  • Utilizing spear-phishing email leading to SEDNIT/Sofacy. The spear phishing email itself may contain geopolitical material/subjects to bait the recipient into opening it. SEDNIT is a malware known for its backdoor and infostealing routines.
  • Creating fake Outlook Web Access (OWA) login pages for credential phishing mail payloads. A variant of their spear phishing emails redirected users to a fake Outlook Web Access login page instead, in the hopes of stealing their login credentials. One of the many targets of this particular method include US defense contractor ACADEMI, formerly known Blackwater.   
  • Exploits for the following vulnerabilities: CVEs: CVE-2010-3333, CVE-2012-0158, CVE-2013-1347, CVE-2013-3897, CVE-2014-1761, CVE-2014-1776, CVE-2015-2590, CVE-2015-4902, CVE-2015-7645
  • Creating (and using) iOS malware for espionage. The malicious app, detected by Trend Micro as either IOS_XAGENT.A or IOS_XAGENT.B, steals all sorts of information from the mobile device it infects, such as messages, contact lists, geo-location data, pictures and even voice recordings.
Who are its targets?

Operation Pawn Storm is known to have targeted the following:
  • NATO and the organization's member states
  • Government, Military and Media entities in the US
  • Government, Military and Media entities of US allies
  • Russian dissidents/political opponents of the Kremlin
  • Russian citizens across different civilian industries and sectors
  • Ukrainian Activists
  • Ukrainian Media
  • Ukrainian Military and Government
  • Governments in Europe, Asia and the Middle East
What are the most notable incidents in Operation Pawn Storm’s history?

Some of Operation Pawn Storm’s most notable activities include:
Adobe and Java Zero-Days in the Pawn Storm Campaign

Zero-day exploits are used in targeted attacks because they are effective, given that software vendors have not created patches for them. In July 2015, we detected suspicious URLs that hosted a newly discovered zero-day exploit in Java, identified as CVE-2015-2590. According to our research, email messages targeting a certain armed forces of a NATO country and a US defense organization contained these malicious URLs where the Java exploit is hosted. Once successfully exploited, it executes arbitrary code on the default Java settings, compromising the security of the system.

In October 13, the attackers behind Pawn Storm have been using Adobe Flash zero-day exploit identified as CVE-2015-7645 for their campaign. Based on our analysis, the Flash zero-day affects at least Adobe Flash Players versions and In this campaign, Pawn Storm targeted several ministries of foreign affairs around the globe, except in Russia. The targets received spear phishing emails that contained links leading to the exploit. The emails and URLs were crafted to appear like they lead to information about current topics.

Operation Pawn Storm is an ongoing campaign. Get a quick look at the notable developments and how your organization can protect against Pawn Storm in the attached infographic.
Operation Pawn Storm

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.