Report: Pawn Storm a growing cyber threat
- By Sean D. Carberry
- Apr 25, 2017
What: "Two Years of Pawn Storm: Examining an Increasingly Relevant Threat," a new report by Feike Hacquebord of Trend Micro's Forward-Looking Threat Research Team
Why: Congressional committees and intelligence agencies continue to investigate Russia's campaign to influence the 2016 U.S. presidential election. At the center of that investigation is Pawn Storm, aka APT28, aka Fancy Bear, the sophisticated cyber espionage group linked to Russian military intelligence.
The intelligence community has stated that APT28 acted on orders from the Kremlin to hack Democratic Party servers and officials to steal information that was then leaked to undermine the presidential campaign of Hillary Clinton.
Trend Micro's report argues that over the last two years Pawn Storm has increasingly focused on operations designed to influence public opinion across the globe and has used a wide range of cyber tools to infiltrate the systems and servers of high-level officials, intelligence agencies and militaries.
In addition to phishing scams directed at the Democratic Party and Clinton campaign officials, the report states that in the last two years, Pawn Storm has gone after dozens of targets including Germany's Christian Democratic Union, the Saudi Military, the prime minister of Turkey and the campaign of French presidential candidate Emmanuel Macron.
The report details a variety of tactics used by Pawn Storm, including credential phishing, spear-phishing, watering hole attacks, tabnabbing (a technique that spoofs open browser tabs to collect user information) and compromising DNS settings. The group will often attack on multiple fronts at the same time, Trend Micro says, and that increases the odds it will penetrate the defenses of even the most social-engineering-savvy target.
Pawn Storm is well financed and able to run campaigns for significant periods of time and be "single-minded in their pursuit of their targets," says the report.
Once Pawn Storm has stolen data, it turns to media outlets to release the information in order to influence public opinion. The group also runs false flag operations where it poses as hactivists or whistleblowers, Hacquebord says.
The report highlights that Pawn Storm does not go to great lengths to conceal its activities, but it is highly successful in protecting the identities of its actors. According to Hacquebord, Pawn Storm has a preference for certain DNS providers, which allows researchers to monitor and detect its activities sometimes before an attack is launched.
At the same time, Pawn Storm choses providers known for anonymity and accepting Bitcoin payments. Hacquebord speculates that Pawn Storm actors actually enjoy media attention and publicity. Under the media spotlight, Pawn Storm has only ramped up its activities.
Trend Micro argues that citizens around the world could be affected by Pawn Storm as it seeks to manipulate their opinions about domestic and international affairs. Pawn Storm's actions could also inspire copycats, says Hacquebord.
Verbatim: "Aside from manipulating the public, their operations also discredit political figures and disrupt the established media. The proliferation of fake news and fake news accusations in 2017 can in part be attributed to constant information leaks and manipulations by malicious actors. Media sources have already confirmed that Pawn Storm offered them exclusive peeks at high-impact information, presumably in an attempt to skew public perception on a certain topic or person."
Read the full report.
Sean Carberry is a former FCW staff writer who focused on defense, cybersecurity and intelligence.