Pawn Storm: The Power of Social Engineering

Credit to Author: Ed Cabrera (Chief Cybersecurity Officer)| Date: Tue, 25 Apr 2017 12:00:02 +0000

Anyone familiar with Pawn Storm (a.k.a. APT28, Fancy Bear, Strontium, etc.) is likely to associate the group with highly sophisticated targeted attacks that compromise government and media agencies around the world. In our latest report, researchers expose the true nature and scope of the cyber espionage group’s attacks and methodologies.

Pawn Storm has managed to compromise high-ranking members of governments across the globe, not through highly sophisticated malware or technical prowess, but with intelligent and calculated social engineering.

The power of phishing

The threat actors utilize credential phishing campaigns at the core of their practice. They are successful by using proper spelling and grammar in their emails, evading spam filters, and playing on current events.

Corporate webmail accounts are targeted as a weak point in a business ecosystem. These accounts can provide confidential data that might prove useful in an attempt to influence public opinion. For example, Pawn Storm stole data from webmail accounts of the World Anti-Doping Agency (WADA) in 2016, leaking it under the pseudonym “Fancy Bear,” to influence public opinion surrounding Russian athletes who were blocked from the summer Olympics. Additionally, webmail accounts may be used as a stepping stone to further infiltrate the target organization.

They also maintain long-running campaigns against high profile users of free international webmail providers, such as Yahoo! and Gmail. In these attacks, Pawn Storm actors persistently send phishing emails to targets – sometimes multiple a week– trying different approaches to reach their goal. Our researchers have collected thousands of these emails since early 2015.

Credentials lead to espionage

After a target succumbs to the socially engineered phishing lure by clicking a malicious link or opening a weaponized attachment, the threat actor uses relatively simple first stage malware to tour the target’s computer and see what they find. Pawn Storm has been seen silently gathering data in a target’s system for more than a year. After learning more about the victim, they may release the second stage of malware – though this only occurs with targets who are deemed very high profile, which is a small portion of overall victims.

Pawn Storm has been known to use this data in two ways:

  1. Compromised accounts are used to further penetrate the organization’s network, even sending emails using stolen identities
  2. Stolen sensitive emails may be publically leaked to cause harm to the victim organization and influence the public’s opinion of them

Protect against phishing

Governments and organizations that may be seen as a threat to the Russian government should fortify their virtual defenses. This includes protecting webmail through the following measures:

  • Increase security with two-factor authentication
  • Require employees to log in to the company VPN prior to accessing webmail
  • Add a physical security key for authentication

Additionally, educating employees at all levels in the organization is critical. Regardless of how convincing the email may sound, don’t open attachments from unverified senders or click links in the emails. We also recommend adding a comprehensive email security tool to protect against not only phishing, but also ransomware and other targeted attacks.

For more information on Pawn Storm, visit Trend Micro’s complete research hub, where you can find three years of research and data on the group and their affairs.

http://feeds.trendmicro.com/TrendMicroSimplySecurity