Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11:45 AM
Connect Directly

'Pawn Storm' APT Campaign Rolls On With Attacks in Germany, Turkey

Offices of German chancellor Angela Merkel among those targeted in recent attacks, Trend Micro says.

The shadowy group behind Operation Pawn Storm, a sophisticated cyber espionage campaign that has been active since at least 2004, appears to have no plans to let up any time soon.

The latest evidence that the group is still alive and operating is an attack last month targeting German chancellor Angela Merkel’s Christian Democratic Union (CDU) party website.

Security vendor Trend Micro Labs, which discovered the attacks, this week described them as comprised of seemingly simultaneous attacks targeted at the corporate and personal email accounts of CDU members.

As part of the campaign, the threat actors set up a fake webmail server in Latvia designed to look like the CDU’s main webmail server in an apparent attempt to steal the email credentials of party members.  The attackers also set up three separate phishing domains to try and grab the personal email credentials of targeted and high profile users of two German free email service providers.

The attacks were consistent with the Pawn Storm group’s habit of targeting both official and personal email accounts of targets at the same time, Trend Micro’s senior researcher Feike Hacquebord wrote in an post on the company’s blog this week.  “The attackers build a fake version of the corporate webmail server of the targeted organization and at the same attack key members of the organization on their private free webmail accounts,” Hacquebord said.

The operators of the Pawn Storm campaign have used such credential phishing tactics very successfully in the past, the researcher noted. “We have witnessed Pawn Storm downloading complete online e-mail boxes and securing future access by [for example] setting up forwarding e-mail addresses secretly.”

The attacks on members of the CDU follow a similar Pawn Storm campaign targeting the office of the Turkish prime minister and members of the country’s parliament in March this year. Hurriyet, one of Turkey’s largest newspapers, and the offices of the Directorate General of Press and Information in Turkey were also targeted in the campaign, Trend Micro said.

One of the attacks in Turkey involved the use of what Trend Micro said was a series of spoofed Outlook Web Access servers to try and steal email credentials of users of the targeted organization. “Phishing attacks against OWA users are relatively inexpensive for the attackers, but can be highly effective to steal sensitive information,” Hacquebord had noted at the time.

To launch the attacks against the Turkish government and members of the press, the Pawn Storm group took advantage of a virtual private server provider with servers in the Netherlands but a postal address in the United Arab Emirates. The same infrastructure appears to have been used in the attacks against German targets last month.

As with many of Pawn Storm’s attacks over the years, the profiles of the victims in the Turkish cyber attacks suggested that the campaign was directed at people perceived to be a threat to Russian politics, Hacquebord had noted.

Since launching in 2004, Operation Pawn Storm has proven to be one of the most far-reaching cyber espionage campaigns with political and economic motives, ever conducted. The group’s many victims over the years have included government and military and defense contractor organizations, including those in the United States and allied countries.

Groups perceived as being unfriendly to Russian government interests, including dissidents and Russian citizens and Ukrainian media members and politicians have been frequent targets suggesting that Pawn Storm is a nation-state backed operation probably based out of Russia.

It’s typical modus operandi when attacking a target organization or individual has been to use spear-phishing email to try and install credential stealing and information stealing malware on a target’s computers. One malware sample the group has favored recently to install backdoors and steal data is SEDNIT, Trend Micro had noted in a blog earlier this year.

In addition to the phishing emails, the group also has shown a penchant for creating fake OWA login pages for stealing email credentials. In addition, the group has developed exploits for several vulnerabilities including some in iOS that enable attackers to steal data, including messages, contact lists and voice mails from infected mobile devices.

Related stories:


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
5/15/2016 | 4:46:23 PM
Re: pwn storm
Spoofing OWA isn't even needed. SSL Injection with SSL Strip/Dump work just fine.
User Rank: Strategist
5/15/2016 | 5:04:59 AM
pwn storm
they certainly like spoofing those outlook web access servers, huh?
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-10
JBoss KeyCloak: XSS in login-status-iframe.html
PUBLISHED: 2019-12-10
oVirt Node: Lock screen accepts F2 to drop to shell causing privilege escalation
PUBLISHED: 2019-12-10
openstack-utils openstack-db has insecure password creation
PUBLISHED: 2019-12-10
rubygem-openshift-origin-controller: API can be used to create applications via cartridge_cache.rb URI.prase() to perform command injection
PUBLISHED: 2019-12-10
marc-q libwav through 2017-04-20 has a NULL pointer dereference in wav_content_read() at libwav.c.