Incident Response, TDR

Researchers identify new targets in ‘Operation Pawn Storm’ campaign

The White House and NATO appear to be two of the latest targets in ‘Operation Pawn Storm,' a campaign – written about by Trend Micro in October 2014 – that is believed to be ongoing since 2007 for the purposes of gathering information.

Last year, Trend Micro revealed that military, governments and media from around the world were being targeted in the campaign with SEDNIT malware, which researchers said is a family of malware that is primarily backdoors and information stealers. In February, the attackers were observed infecting iOS devices with spyware.

Most recently, three popular YouTube personalities were targeted in Gmail phishing attacks only four days after the so-called YouTubers interviewed President Barack Obama at the White House, according to a Thursday post.

One of the personalities appeared to have clicked the phishing URL embedded in the emails sent to them, Jon Clay, senior manager of global threat communications at Trend Micro, told in a Thursday email correspondence.

“While we cannot confirm infection, it is possible that this individual was compromised,” Clay said. “This shows the attackers willingness and persistence to identify targets who may allow them to island hop into their true target organization. It also shows that the attackers are constantly viewing world events, which could support their cause by identifying target victims within days of any news associated with their true targets.”

The first quarter of this year has also seen the attackers establish dozens of exploit URLs and a dozen new command-and-control servers targeting NATO members and governments in Europe, Asia, and the Middle East, the post indicated.

The attackers were observed sending emails with a malicious link to what appears to be a legitimate news website. When the link was clicked, a fingerprinting script would load for the purposes of obtaining information such as operating system, time zone, browser and installed plugins.

“When certain criteria are met the fake news site may respond with a message that an HTML5 plugin has to be installed to view the contents of the site,” the post stated. “The add-on in question turns out to be a version of X-Agent or Fysbis spyware if you're a Linux user, and Sednit if you're running Windows.”

Other recent attacks involve the attackers setting up a variety of fake Outlook Web Access login pages, including one targeting a U.S. company that sells nuclear fuel to power stations and others targeting the armed forces of two European NATO members, according to the post.

In another attack, a military correspondent for a large U.S. newspaper clicked a link in a phishing email sent to their personal email account. A few weeks later, 55 employees from the newspaper were targeted with phishing emails to their work email addresses.

Last year, Trend Micro researchers said they believed that the purpose of the campaign was to obtain sensitive information. Today, those motivations appear unchanged, Clay said.

“Yes, we still believe the actors behind this campaign are mainly interested in intelligence gathering,” Clay said. “The malware (Sednit and X-Agent) can be used as a backdoor, information stealer, and spyware. Their target data appears to be focused on military and political information found on victims systems or networks.”

Altogether, Trend Micro's update illustrates how the attackers in Operation Pawn Storm have slightly shifted their tactics between when the campaign was first disclosed and now.

“Previously, they used weaponized attachments, whereas now they are using embedded URLs within the phishing emails,” Clay said. “The domains used in the URLs are registered by the actors and typically will be domain names similar to domains the victims are used to.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.