Operation Pawn Storm is targeting military, government and media agencies

Trend Micro discovered a cyber-espionage operation dubbed  Operation Pawn Storm, which is targeting military, government and media entities worldwide.

A new cyber espionage operation targeting military, government and media agencies on a global scale has been discovered by security experts at Trend Micro. Also in this case it seems that the threat actors behind the operation, dubbed Operation Pawn Storm, have been active since at least 2007 and are still running several attacks worldwide.

“Pawn Storm is an active economic and political cyber-espionage operation targeting a wide range of entities, mostly those related to the military, governments, and media. Specific targets include:

• Military agencies, embassies, and defense contractors in the US and its allies
• Opposition politicians and dissidents of the Russian government
• International media
• The national security department of a US ally

states Trend Micro in a blog post.

In June 2014 the hackers compromised government websites in Poland and last month they injected a malware in the website for Power Exchange in Poland.  The attackers run different attack scenarios ranging from classis spear-phishing to watering hole attacks, in both cases to serve the SEDNIT malware. 

“The cyber criminals behind Operation Pawn Storm are using several different attack scenarios: spear-phishing emails with malicious Microsoft Office documents lead to SEDNIT/Sofacy malware, very selective exploits injected into legitimate websites that will also lead to SEDNIT/Sofacy malware, and phishing emails that redirect victims to fake Outlook Web Access login pages,” states Trend Micro in a blog post.

The experts consider the attacks as surgery operations, in some cases spear-phishing emails targeted a restricted number of individuals. The attackers also adopted as attack vector a collection of malicious iframes pointing to very selective exploits, the technique was used for the attack against the Polish government websites.

The post explains that in an attack on  billion-dollar multinational firm the group behind the Operation Pawn Storm reached via email just three employees.

“The e-mail addresses of the recipients are not advertised anywhere online,” he noted. “The company in question was involved in an important legal dispute, so this shows a clear economic espionage motive of the attackers.”

The malware analysts believe that the bad actors behind the Operation Pawn Storm have great cyber capabilities and their operation are financially motivated. The experts consider very interesting the malware they designed to compromise targets and remain persistent in their network to syphon sensitive data.

“Our investigation into Pawn Storm has shown that the attackers have done their homework,” said Jim Gogolinski, Senior Threats Researcher at Trend Micro. “Their choices of targets and the use of SEDNIT malware indicate the attackers are very experienced; SEDNIT has been designed to penetrate their targets’ defenses and remain persistent in order to capture as much information as they can.”

The hackers also adopted a very effective technique for their phishing campaigns, to avoid raising suspicions in fact, they used well-known events and conferences such as the Asia-Pacific Economic Cooperation (APEC) Indonesia 2013 and the Middle East Homeland Security Summit 2014 as bait.

Trend Micro has disclosed the details of its investigation in research in a paper titled “Operation Pawn Storm.”

Pierluigi Paganini

(Security Affairs – Operation Pawn Storm, cyber espionage)