Pawn Storm APT group returns, and this time, looks for sensitive MH17 plane crash info

Pawn Storm is back at it and most recently aimed its efforts at information on the MH17 plane crash before an official report was released.
Pawn Storm is back at it and most recently aimed its efforts at information on the MH17 plane crash before an official report was released.

Yet again Pawn Storm is back in the news, and this time, the group was documented as targeting the Dutch Safety Board and its work on the official MH17 Malaysia plane crash report.

Trend Micro reported on Thursday that it believes the Advanced Persistent Threat (APT) group coordinated an attack “from several sides” in order to gain access to “sensitive material of the investigation conducted by Dutch, Malaysian, Australian, Belgian and Ukrainian authorities.”

The group mimicked an SFTP server of the Dutch Safety Board in late September and then followed up that effort in mid-October with a phony VPN server. Trend Micro said this marked the first time it had directly documented an APT group attempting to gain access through a VPN server.

That said, the Dutch Safety Board does look for temporary token authorization; however, these tokens can be phished and don't necessarily protect against one-time unauthorized access by third parties if a victim falls for a phishing email, the company wrote.

Meanwhile, Pawn Storm simultaneously ramped up its efforts to attack Syrian opposition groups and Arab countries voicing objections against Russia's intervention in the Syria conflict.

The group apparently set up fake OWA servers to target the militaries, ministries of defense and foreign affairs of those dissenting Arab countries.

Ed Cabrera, vice president of cybersecurity strategy at Trend Micro, said in an interview with SCMagazine.com that the group has pretty clear targets, especially considering prior attacks on Polish groups and Ukrainian activists.

“This group is obviously not going to go away and will continue to do what they do and are highly capable,” Cabrera said. “We will see much more activity going forward.”

Really, at this point, only companies dealing with information against Russian interests should be worried, he said. And ultimately, the group's use of zero-days and well-written spear phishing emails will entice users to click.

The best way to protect against these attacks is to “identify weaknesses and the human factor,” Cabrera said. Of course, always encourage employees to think twice before clicking on a potentially malicious link.

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS