Critical Read

Report: Pawn Storm a growing cyber threat

Shutterstock image (by fotogestoeber): virus infection spreading out in a network. 

What: "Two Years of Pawn Storm: Examining an Increasingly Relevant Threat," a new report by Feike Hacquebord of Trend Micro's Forward-Looking Threat Research Team

Why: Congressional committees and intelligence agencies continue to investigate Russia's campaign to influence the 2016 U.S. presidential election. At the center of that investigation is Pawn Storm, aka APT28, aka Fancy Bear, the sophisticated cyber espionage group linked to Russian military intelligence.

The intelligence community has stated that APT28 acted on orders from the Kremlin to hack Democratic Party servers and officials to steal information that was then leaked to undermine the presidential campaign of Hillary Clinton.

Trend Micro's report argues that over the last two years Pawn Storm has increasingly focused on operations designed to influence public opinion across the globe and has used a wide range of cyber tools to infiltrate the systems and servers of high-level officials, intelligence agencies and militaries.

In addition to phishing scams directed at the Democratic Party and Clinton campaign officials, the report states that in the last two years, Pawn Storm has gone after dozens of targets including Germany's Christian Democratic Union, the Saudi Military, the prime minister of Turkey and the campaign of French presidential candidate Emmanuel Macron.

The report details a variety of tactics used by Pawn Storm, including credential phishing, spear-phishing, watering hole attacks, tabnabbing (a technique that spoofs open browser tabs to collect user information) and compromising DNS settings. The group will often attack on multiple fronts at the same time, Trend Micro says, and that increases the odds it will penetrate the defenses of even the most social-engineering-savvy target.

Pawn Storm is well financed and able to run campaigns for significant periods of time and be "single-minded in their pursuit of their targets," says the report.

Once Pawn Storm has stolen data, it turns to media outlets to release the information in order to influence public opinion. The group also runs false flag operations where it poses as hactivists or whistleblowers, Hacquebord says.

The report highlights that Pawn Storm does not go to great lengths to conceal its activities, but it is highly successful in protecting the identities of its actors. According to Hacquebord, Pawn Storm has a preference for certain DNS providers, which allows researchers to monitor and detect its activities sometimes before an attack is launched.

At the same time, Pawn Storm choses providers known for anonymity and accepting Bitcoin payments. Hacquebord speculates that Pawn Storm actors actually enjoy media attention and publicity. Under the media spotlight, Pawn Storm has only ramped up its activities.

Trend Micro argues that citizens around the world could be affected by Pawn Storm as it seeks to manipulate their opinions about domestic and international affairs. Pawn Storm's actions could also inspire copycats, says Hacquebord.

Verbatim: "Aside from manipulating the public, their operations also discredit political figures and disrupt the established media. The proliferation of fake news and fake news accusations in 2017 can in part be attributed to constant information leaks and manipulations by malicious actors. Media sources have already confirmed that Pawn Storm offered them exclusive peeks at high-impact information, presumably in an attempt to skew public perception on a certain topic or person."

Read the full report.

About the Author

Sean Carberry is a former FCW staff writer who focused on defense, cybersecurity and intelligence.


  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.