Operation Pawn Storm is an ongoing cyber espionage campaign that’s as far-reaching as it is ambitious. It has been known to primarily target military, embassy, and defense contractor personnel from the United States and its allies, including government institutions such as the North Atlantic Treaty Organization (NATO). Opposing factions, dissidents of the Russian government, international media, and high-profile political personalities in Ukraine are targeted as well.
Operation Pawn Storm is an active economic and political cyber-espionage operation that targets a wide range of high-profile entities, from government institutions to media personalities. Its activities were first seen as far back as 2004, but recent developments have revealed more concrete details about the operation itself, including its origins and targets.
What makes it different from other cyber espionage groups/operations?
Operation Pawn Storm is distinct from other politically-inclined threat actor groups because of its attack methods, which include the following:
Utilizing spear-phishing email leading to SEDNIT/Sofacy. The spear phishing email itself may contain geopolitical material/subjects to bait the recipient into opening it. SEDNIT is a malware known for its backdoor and infostealing routines.
Creating fake Outlook Web Access (OWA) login pages for credential phishing mail payloads. A variant of their spear phishing emails redirected users to a fake Outlook Web Access login page instead, in the hopes of stealing their login credentials. One of the many targets of this particular method include US defense contractor ACADEMI, formerly known Blackwater.
Exploits for the following vulnerabilities: CVEs: CVE-2010-3333, CVE-2012-0158, CVE-2013-1347, CVE-2013-3897, CVE-2014-1761, CVE-2014-1776, CVE-2015-2590, CVE-2015-4902, CVE-2015-7645
Creating (and using) iOS malware for espionage. The malicious app, detected by Trend Micro as either IOS_XAGENT.A or IOS_XAGENT.B, steals all sorts of information from the mobile device it infects, such as messages, contact lists, geo-location data, pictures and even voice recordings.
Who are its targets?
Operation Pawn Storm is known to have targeted the following:
NATO and the organization's member states
Government, Military and Media entities in the US
Government, Military and Media entities of US allies
Russian dissidents/political opponents of the Kremlin
Russian citizens across different civilian industries and sectors
Ukrainian Military and Government
Governments in Europe, Asia and the Middle East
What are the most notable incidents in Operation Pawn Storm’s history?
Some of Operation Pawn Storm’s most notable activities include:
September 2014 – targeted a large US nuclear fuel dealer by setting up fake Outlook Web Access login pages for its employees. Also launched fake OWA login page attacks against military and defense institutions in the US and Europe
October 2015 – discovered by Trend Micro to be using Adobe Flash zero-day exploit code and targeted several ministries of foreign affairs via spear phishing emails
Adobe and Java Zero-Days in the Pawn Storm Campaign
Zero-day exploits are used in targeted attacks because they are effective, given that software vendors have not created patches for them. In July 2015, we detected suspicious URLs that hosted a newly discovered zero-day exploit in Java, identified as CVE-2015-2590. According to our research, email messages targeting a certain armed forces of a NATO country and a US defense organization contained these malicious URLs where the Java exploit is hosted. Once successfully exploited, it executes arbitrary code on the default Java settings, compromising the security of the system.
In October 13, the attackers behind Pawn Storm have been using Adobe Flash zero-day exploit identified as CVE-2015-7645 for their campaign. Based on our analysis, the Flash zero-day affects at least Adobe Flash Players versions 188.8.131.52 and 184.108.40.206. In this campaign, Pawn Storm targeted several ministries of foreign affairs around the globe, except in Russia. The targets received spear phishing emails that contained links leading to the exploit. The emails and URLs were crafted to appear like they lead to information about current topics.
Operation Pawn Storm is an ongoing campaign. Get a quick look at the notable developments and how your organization can protect against Pawn Storm in the attached infographic.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).