Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:30 PM
Connect Directly

US Military Officials, Defense Firms Targeted In 'Operation Pawn Storm'

Cyber espionage attackers "did their homework" in an attack campaign that has intensified in the wake of US-Russian tensions.

In yet another cyber espionage campaign that serves as a chilling reminder that China isn't the only game in town when it comes to advanced persistent threats, attackers are hammering US and allied military officials and defense contractors -- as well as news media outlets -- in a series of hacks that aim to gain economic and political intelligence.

Trend Micro published a report today on the so-called Operation Pawn Storm cyber espionage campaign that has been in action since 2007 and has become more sophisticated, with the attackers getting adept at remaining inside their targets even after being detected. The security firm stopped short of tying the attacks specifically to any particular nation, but the targeted organizations and regions, as well as the timing geopolitically, appear to point to Russia or Russian interests. The attackers are going after the US, NATO allies, and Russian dissidents.

The targets of some of the phishing attacks include ACADEMI (the US defense contractor formerly known as Blackwater), SAIC, and the Organization for Security and Cooperation in Europe.

Tom Kellermann, chief cybersecurity officer at Trend Micro, says it's difficult to confirm just who the attackers are, but the current "cold cyberwar" between Russia and the US and its allies provides motivation for pro-Russian factions. He says it's difficult to ascertain whether the attackers are Russian gangs or pro-Russian patriots in Belarus, for example.

Unlike Chinese operations, Russian cyber espionage is more skilled and less noisy, he says. "We're seeing more and more traditional cybergangs lending their skill. Whether or not it's code or footprints they already had" in systems is hard to tell, as well. 

The group behind Operation Pawn Storm obviously knows its targets well, indicating that members have done their homework, according to Trend Micro. The attacks employ convincing spear phishing emails with malicious Microsoft Office files, a network of typo squatted domains, an Outlook Web Access ploy, and malicious iFrames planted on legitimate websites frequented by their targets.

Among the most sophisticated elements of the attacks: The attackers basically employ a disposable command and control approach to stay alive in the targeted network. "The command and control terminates after it's been used once. It's a way of evading FireEye basically," Kellermann says. The attackers seem to be well aware that detection technologies such as FireEye's are being used to terminate the C&C once it's spotted, so they just keep reinventing it.

The "pawns" are the dynamic C&Cs that allow the attackers to maintain their foothold in the network. "This is happening behind the scenes. They are altering their movement," he says. "I think it's significant… how they conduct reconnaissance on the initial targets and on specific individuals attending specific events."

In one example of just how targeted and specific the attacks are, the attackers sent a spear phishing email to three employees in the legal department of a major multinational company, Trend Micro researchers said in a blog post about the attacks. "The e-mail addresses of the recipients are not advertised anywhere online. The company in question was involved in an important legal dispute, so this shows a clear economic espionage motive of the attackers. Luckily nobody clicked on the link in the spear phish e-mail and Trend Micro was able to warn the company in an early stage, thus preventing any further damage."

The exposure of the Pawn Storm hackers comes on the heels of a report by iSIGHT Partners on the so-called Sandworm cyber espionage group out of Russia, which also is targeting NATO, a US think-tank, the Ukrainian government, as well as other targets. 

If a victim opens a rigged Office document in an email, it drops malware that logs and grabs information on the victim. The attackers use the SEDNIT/Sofacy family of malware, a multi-stage downloader that helps the attackers evade detection. "We believe the threat actors aimed to confuse their targets' IT administrators by making it hard for them to string attack components together," Trend said in its newly published report. The attackers also timed their email campaigns with upcoming political events and meetings their defense contractor and government agency targets were attending or following, such as the Asia-Pacific Economic Cooperation Forum and the Middle East Homeland Security Summit.

As for the typo squatting method, the attackers lured their victims to phony domain names that are nearly identical to legitimate ones. "Targets are led to typo squatted domain names that resemble a legitimate news site or a site for a conference through spear phishing e-mails (without malicious attachments)," Trend Micro said. "When the e-mails get opened in Outlook Web Access (OWA) in the preview pane, targets are likely to fall victim of advanced phishing."

According to Kellerman, "the most interesting thing about this campaign is how it's evolved over the years and becomes more streamlined and much more capable of lateral movement and innovation, especially in the last year."

The full report is available here.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Robert McDougal
Robert McDougal,
User Rank: Ninja
10/27/2014 | 1:41:20 PM
Re: Data Nationalism
I will be honest with you, I am surprised that we haven't responded militarily yet.  China and Russia are both outright robbing us in broad daylight.  
User Rank: Ninja
10/27/2014 | 7:02:34 AM
Re: Data Nationalism
Hi Thomas, are you referring to a proactive defense or what else?

Thanks Pierluigi
Thomas Claburn
Thomas Claburn,
User Rank: Ninja
10/24/2014 | 6:16:18 PM
Re: Data Nationalism
Well, if hacking gets really bad, there's no reason it couldn't prompt a military response. I expect that will happen sooner or later, if only to send a message.
User Rank: Ninja
10/24/2014 | 4:24:03 PM
Re: Data Nationalism
It is time for us to limit the access these criminals have to our "free" resources.  Why do we allow anyone from the former Russian empire any access to our Internet resources?  They all seem to be criminals who can't be found or are protected by their Governments.  I suspect we like to have an open Internet because our "whitehat" boys in DHS like to hack back and get what they can as well.  From my perspective I say lets just shut off the pipe and control the access.  What value do the web resources of the "unfree" world offer us in America anyway?


Sure they can buy a server here and have at it, but once discovered we can at least shut it down.  Maybe we could even find them easier?

User Rank: Moderator
10/24/2014 | 1:33:06 PM
The internet has become such a threat platform that one wonders...
The problem with the "Information Economy" is that stealing information has become trivial for those with the resources to do it professionally, and the real economy, the capability to use what was once proprietary information to manufacture real things, has been outsourced to emerging market countries by the Wall Street Consensus. That means that emerging market countries, like China, are increasingly poised to become the new epicenter of the Global Supply Chain and older industrial countries are becoming less & less relevant to a globalized 21st century economy except as consumers. Add to this the beefing up of military capabilities and the increasing confidence in using newly acquired weapons technologies in projecting national political power, and you have a guaranteed recipe for international conflicts in both the geo-political & economic spheres over the decades ahead. Yes, it is time to re-think how we connect critical IT infrastructure to a globalized, increasingly insecure internet infrastructure that is disempowering our own society by making it trivially easy for our competitors & adversaries alike to simply steal our intellectual property, undermine our militiary security and leech off of our economic prosperity. It often appears that we are suffering from "too much connectivity" and all this connectivity is not actually improving our way of life, but simply distracting us from those things that are really important. We're increasingly vulnerable because of feature creep that opens up more & more of our life to remote hacking, while merely delivering the appearance of "cool" innovations that marketers love as selling points but security personnel realize are actually new security holes big enough to drive a truck bomb thru. More & more I see the Information Economy as resembling the Subprime Mortgage Bond Market: just another misbegotten child of the Wolves of Wall Street - always looking for something to hype, sell and walk quickly away from when it turns out to be just smoke & mirrors. But it is likely that we have way too much momentum behind this Information Economy B.S., so I expect that we will crash into the economic slowdown ahead while text messaging.
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
10/24/2014 | 10:47:24 AM
Re: Data Nationalism
You raise a debate that has been raging in other nations, @Chrisitan Bryant. Your thoughts on this are provocative, for sure. I'd love to hear what other readers think about this. Let's debate!
User Rank: Ninja
10/24/2014 | 3:28:49 AM
Data Nationalism
You might be surprised to hear me talk about a solution to issues like this from a perspective of data nationalism, being a GNU software user and Free Software Foundation supporter.  However, I am also about solutions to problems, and advanced forms of data nationalism are a direct approach to ending these types of network attacks and remote data breeches that cross continents.

The "world wide" web as we know it has reached its end, anyway.  It's time, as security analysts, to put on the tinfoil hats and take a few doses of paranoia.  First, access to the Internet is a service already, so start treating it more like one.  Federate the Internet (US, China, Canada, Brazil, etc.) and write interfaces between each unique instance of Internet ecosystems that cost money to access; expensive access, at that.

Once global networks and Internet providers are fractured and new standards and protocols are put in place to keep everyone with once open access out, hacking threats from other countries will initially be zero.  Of course, over time, the same hackers we worried about before will figure out ways to get in; however, now the pipe will be a single entry point and a small one, at that.  We can more easily monitor and prevent intrusion from non-USA would-be hackers.

Companies like Google and Facebook - who federated Internet supporters initially worried would never support such initiatives - could actually stand to benefit greatly from such changes, being able to demand high costs of countries like China and the EU whose users will want access to American Facebook and G+ users.  

It's another one of those tough decisions and unpopular ideas that holds incredible opportunity for control and security overall for American Internet-based companies and Government agencies and resources, but whose implementation just plain scares too many people.  It may be time to get over the fear.
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-20
An unsafe deserialization vulnerability in Bridgecrew Checkov by Prisma Cloud allows arbitrary code execution when processing a malicious terraform file. This issue impacts Checkov 2.0 versions earlier than Checkov 2.0.26. Checkov 1.0 versions are not impacted.
PUBLISHED: 2021-04-20
An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where secrets in PAN-OS XML API requests are logged in cleartext to the web server logs when the API is used incorrectly. This vulnerability applies only to PAN-OS appliances that are configured to us...
PUBLISHED: 2021-04-20
An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where the connection details for a scheduled configuration export are logged in system logs. Logged information includes the cleartext username, password, and IP address used to export the PAN-OS conf...
PUBLISHED: 2021-04-20
A denial-of-service (DoS) vulnerability in Palo Alto Networks GlobalProtect app on Windows systems allows a limited Windows user to send specifically-crafted input to the GlobalProtect app that results in a Windows blue screen of death (BSOD) error. This issue impacts: GlobalProtect app 5.1 versions...
PUBLISHED: 2021-04-19
An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The hi...