In yet another cyber espionage campaign that serves as a chilling reminder that China isn't the only game in town when it comes to advanced persistent threats, attackers are hammering US and allied military officials and defense contractors -- as well as news media outlets -- in a series of hacks that aim to gain economic and political intelligence.
Trend Micro published a report today on the so-called Operation Pawn Storm cyber espionage campaign that has been in action since 2007 and has become more sophisticated, with the attackers getting adept at remaining inside their targets even after being detected. The security firm stopped short of tying the attacks specifically to any particular nation, but the targeted organizations and regions, as well as the timing geopolitically, appear to point to Russia or Russian interests. The attackers are going after the US, NATO allies, and Russian dissidents.
The targets of some of the phishing attacks include ACADEMI (the US defense contractor formerly known as Blackwater), SAIC, and the Organization for Security and Cooperation in Europe.
Tom Kellermann, chief cybersecurity officer at Trend Micro, says it's difficult to confirm just who the attackers are, but the current "cold cyberwar" between Russia and the US and its allies provides motivation for pro-Russian factions. He says it's difficult to ascertain whether the attackers are Russian gangs or pro-Russian patriots in Belarus, for example.
Unlike Chinese operations, Russian cyber espionage is more skilled and less noisy, he says. "We're seeing more and more traditional cybergangs lending their skill. Whether or not it's code or footprints they already had" in systems is hard to tell, as well.
The group behind Operation Pawn Storm obviously knows its targets well, indicating that members have done their homework, according to Trend Micro. The attacks employ convincing spear phishing emails with malicious Microsoft Office files, a network of typo squatted domains, an Outlook Web Access ploy, and malicious iFrames planted on legitimate websites frequented by their targets.
Among the most sophisticated elements of the attacks: The attackers basically employ a disposable command and control approach to stay alive in the targeted network. "The command and control terminates after it's been used once. It's a way of evading FireEye basically," Kellermann says. The attackers seem to be well aware that detection technologies such as FireEye's are being used to terminate the C&C once it's spotted, so they just keep reinventing it.
The "pawns" are the dynamic C&Cs that allow the attackers to maintain their foothold in the network. "This is happening behind the scenes. They are altering their movement," he says. "I think it's significant… how they conduct reconnaissance on the initial targets and on specific individuals attending specific events."
In one example of just how targeted and specific the attacks are, the attackers sent a spear phishing email to three employees in the legal department of a major multinational company, Trend Micro researchers said in a blog post about the attacks. "The e-mail addresses of the recipients are not advertised anywhere online. The company in question was involved in an important legal dispute, so this shows a clear economic espionage motive of the attackers. Luckily nobody clicked on the link in the spear phish e-mail and Trend Micro was able to warn the company in an early stage, thus preventing any further damage."
The exposure of the Pawn Storm hackers comes on the heels of a report by iSIGHT Partners on the so-called Sandworm cyber espionage group out of Russia, which also is targeting NATO, a US think-tank, the Ukrainian government, as well as other targets.
If a victim opens a rigged Office document in an email, it drops malware that logs and grabs information on the victim. The attackers use the SEDNIT/Sofacy family of malware, a multi-stage downloader that helps the attackers evade detection. "We believe the threat actors aimed to confuse their targets' IT administrators by making it hard for them to string attack components together," Trend said in its newly published report. The attackers also timed their email campaigns with upcoming political events and meetings their defense contractor and government agency targets were attending or following, such as the Asia-Pacific Economic Cooperation Forum and the Middle East Homeland Security Summit.
As for the typo squatting method, the attackers lured their victims to phony domain names that are nearly identical to legitimate ones. "Targets are led to typo squatted domain names that resemble a legitimate news site or a site for a conference through spear phishing e-mails (without malicious attachments)," Trend Micro said. "When the e-mails get opened in Outlook Web Access (OWA) in the preview pane, targets are likely to fall victim of advanced phishing."
According to Kellerman, "the most interesting thing about this campaign is how it's evolved over the years and becomes more streamlined and much more capable of lateral movement and innovation, especially in the last year."
The full report is available here.