Operation Pawn Storm is back in the limelight following the April 2016 cyberattacks against the German Christian Democratic Union (CDU) — the political party of the Chancellor of Germany—which used phishing tactics to gain user credentials, according to a recent blog post by Trend Micro.
Operation Pawn Storm is a sophisticated cyber espionage campaign with suspected ties to the Russian government.
In operation since 2004, Pawn Storm has been carrying out attacks for years. The campaign has targeted government, military and media entities in the United States; Ukrainian activists, media, military and government; Russian dissidents and political opponents of the Kremlin; and the North American Treaty Organization and its member states.
“As per their standard MO, Pawn Storm continues to launch sophisticated attacks against entities whose views are potentially in opposition to Russia,” said Christopher Budd, global threat communications manager for Trend Micro. “In past Pawn Storm attacks, we’ve seen credential theft result in downloads of complete online inboxes, along with the establishment of secret email forwarding for continuous monitoring.”
One of the most notable incidents targeting the United States is the December 2014 attack on the corporate accounts of 55 employees of a large US newspaper, using the compromised account of a US military correspondent Operation Pawn Storm attacked earlier in the same month.
In addition, in October 2015, Trend Micro researchers discovered that the attackers behind Pawn Storm were using a new Adobe Flash zero-day exploit in a campaign targeting several foreign affairs ministries from around the globe, except in Russia.
During this campaign, the attackers sent e-mails containing geopolitical subject matter to bait recipients into opening infected e-mails. For example, the email subjects contained the following topics: “Suicide car bomb targets NATO troop convoy Kabul” and “Syrian troops make gains as Putin defends air strikes.”
More recently, Trend Micro reported on Pawn Storm attacking the Turkish government from various angles in March 2016. These attacks confirmed Trend Micro’s belief that the group’s targets are those opposed to Russian interests.
“Many of these targets sharea common trait: that they could be perceived as a threat to Russian politics in some way or form,” a March 2016 blog posted stated. “We believe that these attacks againstTurkey were related to previous Pawn Storm-related incidents in summer and fall 2015, which targeted Syrian opposition and about all of the Arab countries that voiced criticism about Russia’s interventions in Syria.”
With seemingly no plans to let up anytime soon, Operation Pawn Storm is likely to continue to remain very active.