Pawn Storm hackers hit the German Christian Democratic Union party

Researchers at Trend Micro discovered that Pawn Storm threat actor targeted the political party of Chancellor Angela Merkel, the Christian Democratic Union.

Security experts follow a long time the operations of the Russian-linked Pawn Storm cyber spies, aka APT 28, Sednit, Sofacy, Fancy Bear and Tsar Team.

In October 2014, security experts at Trend Micro spotted a cyber espionage operation targeting military, government and media agencies across the world.

A new cyber espionage operation targeting military, government and media agencies on a global scale has been discovered by security experts at Trend Micro. The researchers speculate the threat actors behind the campaign have been active since at least 2004 and are still running espionage campaigns.

“Pawn Storm is an active economic and political cyber-espionage operation targeting a wide range of entities, mostly those related to the military, governments, and media. Specific targets include:

• Military agencies, embassies, and defense contractors in the US and its allies
• Opposition politicians and dissidents of the Russian government
• International media
• The national security department of a US ally

wrote Trend Micro in a blog post.

Now the group has been observed targeting the political party of Chancellor Angela Merkel, the Christian Democratic Union of Germany.

Last year, the computer systems at the German Parliament Bundestag were infected by a malware developed by Pawn Storm.

A spokeswoman for the Bundestag confirmed that unknown hackers stole data during the cyber attack.

In April 2015, security experts at Trend Micro spotted a number of phishing attacks targeting members of the Christian Democratic Union (CDU) and high-profile users of German freemail providers GMX and WEB.DE.

“In April 2016, we discovered that Pawn Storm started a new attack against the German Christian Democratic Union (CDU), the political party of the Chancellor of Germany, Angela Merkel.” States Trend Micro “The attack consisted of seemingly coordinated credential phishing attacks against the CDU and high profile users of two German freemail providers.”

The hackers set up a bogus webmail server of Christian Democratic Union in Latvia with the intent to launch phishing attacks.

They also registered three domains for web.de and gmx.de with the same intent, they targeted high-profile individual users of two German free webmail providers.

The three domains are:

• account-web[.]de
• account-gmx[.]de
• account-gmx[.]net

The experts noticed that attackers used a VPS provider registered in the United Arab Emirates that has also servers in the Netherlands and Romania. The VPS provider was linked by the experts to other campaigns conducted by the Pawn Storm around the world.

“Credential phishing is an important espionage tool: we have witnessed Pawn Storm downloading complete online e-mail boxes and securing future access by e.g. setting up a forwarding e-mail addresses secretly.” states Trend Micro.

“It is a recurring theme in recent Pawn Storm attacks; organizations get hit from different angles simultaneously. We have seen that happening time and time again against various governments, armed forces, defense companies and media.” 

Experts at Trend Micro have observed more than a dozen active command and control (C&C) servers used to control a strain of espionage malware dubbed X-Agent that was used by hackers against high-value targets.

In March, the Pawn Storm targeted organizations in Turkey, including the government’s Directorate General of Press and Information, the Grand National Assembly, the newspaper Hürriyet, and the Prime Minister’s Office.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Pawn Storm, cyber espionage)