An in depth look at the cyberespionage gang Pawn Storm by Trend Micro reveals an incredibly complicated and capable group that has penetrated several important political and government organization and for the most part has done so on the back of one of the most well-worn attack methodologies available. Phishing.
Trend Micro made its case in a 41-page report entitled Two Years of Pawn Storm.
Just because the attack vector is somewhat easy to pull off does not mean the attacks themselves are simple. Pawn Storm, also known as Apt28, Fancy Bear, Sofacy and most likely Guccifer 2.0, spends a great deal of time and effort to target and properly socially engineer their attacks to ensure the group receives the required results. And the targets themselves indicate that the group is not shy about going after the world's heavy hitters, to include the Democratic National Party, the German Christian Democratic Union (CDU) headed by Angela Merkel, the Turkish and Montenegro parliaments and most recently Pawn Storm was tied to efforts designed to influence the French presidential election.
The most unusual aspect of Pawn Storm is unlike almost every other cybercrime organization Pawn Storm is not interested in financial gain, but instead stealing credentials which can then be used to influence local politics.
“This is not limited to the presidential elections in the U.S., but goes beyond that,” Trend Micro's report stated, adding that the gang's methodology and apparent resources enable it to carry out long-term operations and leverage different attacks that can last for years—such as credential phishing. The attacks detailed include:
• silent data gathering over an extended period of time—Pawn Storm being a prime example since our data tracks them silently collecting information for more than a year
• compromised accounts are used to further penetrate into the network of a victim organization, for example by sending emails using stolen identities
• leaking sensitive emails in order to cause harm to the victim organization and influence public opinion
• domestic espionage on citizens of nations
While understanding what Pawn Storm is trying to accomplish is relatively easy, figuring out why it is doing so is not.
“Pawn Storm threat actors are independent, Russian based and motivated, but we can't say whether they're state-sponsored,” Jon Clay, Trend Micro's senior global marketing manager told SC Media, “As a cyber espionage group, Pawn Storm is motivated by influencing public opinion, not financial gain. They are interested in stealing information to use in ways that promote their endeavors versus profit.”
The U.S. government was less reticent about pointing fingers the Russian government's involvement in attempting to influence or disrupt the 2016 presidential election implementing sanctions and ejecting Russian embassy personnel in late December in retaliation.
“All Americans should be alarmed by Russia's actions. In October, my Administration publicized our assessment that Russia took actions intended to interfere with the U.S. election process. These data theft and disclosure activities could only have been directed by the highest levels of the Russian government,” President Obama said in a White House statement.
However, no specific Russian cyber organizations were, or have been, named as being behind the attacks.
And although the group may rely more on phishing it does not ignore other attack vectors having been found to use zero-day exploits and watering holes.
Pawn Storm uses two types of phishing attacks to attract victims, bogus websites and the more traditional email-based version.
In the case of French presidential Emmanuel Macron in the months leading up to the initial vote the gang created:
- onedrive-en-marche.fr (March 15 2017)
- portal-office[.]fr (April 14 2017)
- mail-en-marche[.]fr (April 12 2017)
- accounts-office.fr (April 17 2017)
Trend Micro believes the sites were intended to steal credentials that would enable someone to further penetrate Macron's campaign and to just install malware.
When the gang does turn to email phishing it relies almost solely on compromising OAuth, a system that authorizes third party applications to login to users' online accounts. In the same fashion as the fake websites, Pawn Storm goes to great lengths to make sure the email is sent to a target that will fall for its social engineering scam.
The group's usual Modus Operandi is to send an advisory email purportedly from Google, Yahoo! or a cybersecurity company asking for the person to click through to a website where they will be asked to install an applications, usually citing security reasons. Interestingly, at one point in the scam the person is lead to a legitimate website and then pushed through to a fake site, albeit one with an SSL certificate so it shows up as secure.
“After abusing the screening process for OAuth approvals, Pawn Storm's rogue application operates like every other app accepted by the service provider. If the user falls for the scam and clicks the “Allow” button, an OAuth token is provided to the app, giving Pawn Storm semi-permanent access to the target's mailbox,” Trend reported.
The group also uses phishing to spread news stories that would be of interest, Pro-Russian rebels launch new offensive, News: Yemen air strikes kill 23 in factory: residents and Heavy clashes on Saudi-Yemeni border, which when open contain a link to an exploit kit.
With Pawn Storm willing and able to use such a wide variety of attack types Trend Micro's researchers admitted defending against the group is a difficult proposition, but on the bright side most of the suggested defensive measures are well known and easily implemented.
“Utilizing a layered security approach to harden and defend at all layers of the IT landscape will help secure against these attacks. Employee education is also key to mitigate the risk of anyone unknowingly letting the threat actors into a network,” Clay said.
Basic steps like minimizing a potential attack surface by keeping a minimum number of people and systems exposed to the internet, requiring remote workers to use a VPN, use few domain names, enforce two-factor authorization for those using webmail and employee education were the main points Trend pushed.