Threat Intelligence, Malware

Pawn Storm APT group returns, and this time, looks for sensitive MH17 plane crash info

Yet again Pawn Storm is back in the news, and this time, the group was documented as targeting the Dutch Safety Board and its work on the official MH17 Malaysia plane crash report.

Trend Micro reported on Thursday that it believes the Advanced Persistent Threat (APT) group coordinated an attack “from several sides” in order to gain access to “sensitive material of the investigation conducted by Dutch, Malaysian, Australian, Belgian and Ukrainian authorities.”

The group mimicked an SFTP server of the Dutch Safety Board in late September and then followed up that effort in mid-October with a phony VPN server. Trend Micro said this marked the first time it had directly documented an APT group attempting to gain access through a VPN server.

That said, the Dutch Safety Board does look for temporary token authorization; however, these tokens can be phished and don't necessarily protect against one-time unauthorized access by third parties if a victim falls for a phishing email, the company wrote.

Meanwhile, Pawn Storm simultaneously ramped up its efforts to attack Syrian opposition groups and Arab countries voicing objections against Russia's intervention in the Syria conflict.

The group apparently set up fake OWA servers to target the militaries, ministries of defense and foreign affairs of those dissenting Arab countries.

Ed Cabrera, vice president of cybersecurity strategy at Trend Micro, said in an interview with that the group has pretty clear targets, especially considering prior attacks on Polish groups and Ukrainian activists.

“This group is obviously not going to go away and will continue to do what they do and are highly capable,” Cabrera said. “We will see much more activity going forward.”

Really, at this point, only companies dealing with information against Russian interests should be worried, he said. And ultimately, the group's use of zero-days and well-written spear phishing emails will entice users to click.

The best way to protect against these attacks is to “identify weaknesses and the human factor,” Cabrera said. Of course, always encourage employees to think twice before clicking on a potentially malicious link.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.