The Dutch Safety Board (known as Onderzoeksraad) became a target of the cyber-espionage group before and after the safety board published their detailed report on the MH17 incident on October 13, 2015. We believe that a coordinated attack from several sides was launched to get unauthorized access to sensitive material of the investigation conducted by Dutch, Malaysian, Australian, Belgian, and Ukrainian authorities.
Figure 1. Official site of the Dutch Safety Board and the press release for the MH17 investigations
We discovered that a fake server mimicking an SFTP server of the Dutch Safety Board was set up on September 28, 2015; later a fake VPN server of the same organization was set up on October 14, 2015. It is very likely these were used for credential phishing attacks against personnel of the Safety Board in order to get unauthorized access to both the SFTP and the VPN server.
This is the first time we have seen direct evidence that an APT group attempted to get unauthorized access to a VPN server. The VPN server of the Safety Board looks to use temporary tokens for authentication. However, these tokens can be phished in a straightforward way and tokens alone do not protect against one-time unauthorized access by third parties, once the target falls for the phishing attack.
The attacks weren’t limited to the Dutch Safety Board. On September 29 2015, a fake Outlook Web Access (OWA) server was set up to target an important partner of the Dutch Safety Board in the MH17 investigation. We were able to warn the affected party in a very early stage, thus probably preventing the attack to succeed.
These discoveries show that it is very likely that Pawn Storm coordinated attacks against different organizations to get sensitive information on the MH17 plane crash.
Pawn Storm and Syria
Pawn Storm has also intensified attacks against Syrian opposition groups and Arab countries that voiced objections against the recent interventions of Russia in Syria.
Last September, several Syrian opposition members in exile were the targets of advanced credentials attacks. Then in September and October 2015, several fake OWA servers were set up, targeting the military, ministries of defense, and foreign affairs of about all Arab countries that criticized the Russian intervention in Syria.
Figure 2. Fake OWA server of the armed forces of a targeted Arab country
The Pawn Storm Campaign
Pawn Storm is a long-running cyber-espionage campaign that has had numerous international targets, including the White House and the North Atlantic Treaty Organization. But our research also shows that while Pawn Storm’s targets have mostly been external political entities outside of Russia, a great deal of targets can actually be found within the country’s borders. Some of their “local” targets include peace activists, bloggers, and politicians.
For its cyber-espionage attacks, Pawn Storm is known for launching simple but effective phishing campaigns against organizations that have their webmail exposed to the Internet. The group is also known to use zero-day exploits.