Pawn Storm is an active economic and political cyber-espionage operation targeting a wide range of entities, mostly those related to the military, governments, and media. Specific targets include:
- Military agencies, embassies, and defense contractors in the US and its allies
- Opposition politicians and dissidents of the Russian government
- International media
- The national security department of a US ally
The cyber criminals behind Operation Pawn Storm are using several different attack scenarios: spear-phishing emails with malicious Microsoft Office documents lead to SEDNIT/Sofacy malware, very selective exploits injected into legitimate websites that will also lead to SEDNIT/Sofacy malware, and phishing emails that redirect victims to fake Outlook Web Access login pages.
A Closer Look at SEDNIT
Our investigation into Pawn Storm has shown that the attackers have done their homework. Their choices of targets and the use of SEDNIT malware indicate the attackers are very experienced; SEDNIT has been designed to penetrate their targets’ defenses and remain persistent in order to capture as much information as they can.
Figure 1. Phases 1 and 2 in an Operation Pawn Storm attack
The spear phishing emails sent by Pawn Storm attacks can be aimed at very specific targets. In one example, a spear phishing email was sent to only 3 employees of the legal department of a billion-dollar multinational firm. The e-mail addresses of the recipients are not advertised anywhere online. The company in question was involved in an important legal dispute, so this shows a clear economic espionage motive of the attackers. Luckily nobody clicked on the link in the spear phish e-mail and Trend Micro was able to warn the company in an early stage, thus preventing any further damage.
This attack, however, is just one of the many attacks launched, and there will surely be more. The attackers behind Operation Pawn Storm have been active since at least 2007 and they continue to launch new campaigns. Just in June 2014 they compromised government websites in Poland and in September 2014 the website for Power Exchange in Poland, www.irgit.pl, by inserting a malicious iframe pointing to an exploit server at yovtube[dot]co and defenceiq[dot]us. The exploit server was however very selective in infecting victims with SEDNIT, so that SEDNIT malware only got installed on selected systems.
Another technique used by the Pawn Storm attackers is a very clever phishing attack that specifically targets Outlook Web Access users. We will discuss that part in another entry that we will release soon. In the mean time, check the full details of our research in our paper: Operation Pawn Storm.