Incident Response, Malware, TDR

SEDNIT malware delivered in ‘Operation Pawn Storm’

Military, governments and media from around the world are targets in a campaign identified by Trend Micro, which the company is referring to as ‘Operation Pawn Storm.'

Among the targets identified by Trend Micro are the U.S. Department of State, American private military company Academi, Science Application International Corporation, the Ministry of Defense in France, the Ministry of Defense in Hungary, and Austria-based Organization for Security and Co-operation in Europe, as well as Pakistani military officials, Polish government employees, and broadcasting companies from various countries, according to a research paper.

Evidence suggests that the attackers have been operating since 2007 and are going after sensitive data, but a researcher with Trend Micro, who asked to remain anonymous, told in a Thursday email correspondence that the research team could not speculate on the specific identity of the threat actors and the motivations behind the campaign.

Several attack vectors are being used in Operation Pawn Storm.

The attackers crafted spear phishing emails about events from around the globe – carefully written to coincide with upcoming meetings and summits – and sent the messages, along with attached malicious documents, to individuals who they thought would be interested, according to the research paper. Another tactic involved the threat actors injecting malicious iframes into legitimate websites that lead to certain exploits.

Both attacks resulted in victims being infected with SEDNIT malware.

“SEDNIT is a family of malware that is primarily backdoors and information stealers,” the researcher said. “It works by running on a compromised system, receiving commands and illicitly and surreptitiously gathering and transmitting data. SEDNIT doesn't help evade detection per se, but is a key component for a targeted attack of this type by providing the means to steal information from compromised systems.”

Another tactic involved using a JavaScript trick to target Microsoft Outlook Web Access users – the attackers were able to redirect recipients to phishing websites with domain names almost identical to that of well-known conferences and media groups and, ultimately, steal credentials, according to the research paper.

Victims identified by Trend Micro have been notified.

“The entire operation is noteworthy for its sophistication and for the focus on military and defense targets,” the researcher said. “The spoofing of corporate webmail systems in such a sophisticated manner is of particular interest: administrators of systems with web-based mail should take note of this development and consider looking at two factor authentication systems to help protect their systems.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.