Operation Pawn Storm: Varied targets and attack vectors, next-level spear-phishing tactics

In a recently released whitepaper, Trend Micro researchers have shared many details about a long-standing economic and political cyber-espionage operation they dubbed Pawn Storm.

“The attackers behind Operation Pawn Storm have been active since at least 2007 and they continue to launch new campaigns,” they noted.

Their targets are varied, and so are the techniques they use to compromise them:

  • Spear-phishing emails with malicious Microsoft Office documents that lead to infection with the SEDNIT/Sofacy malware family
  • Particularly effecting phishing emails that redirect victims to fake Outlook Web Access login pages parked on typosquatted domains, and
  • Malicious iFrames injected in compromised websites and pointing to exploits that are triggered only when the victim uses certain software on a specific OS, with specific language settings and in a specific time zone. Again, the victims are saddled with SEDNIT/Sofacy malware.

“Our investigation into Pawn Storm has shown that the attackers have done their homework. Their choices of targets and the use of SEDNIT malware indicate the attackers are very experienced; SEDNIT has been designed to penetrate their targets’ defenses and remain persistent in order to capture as much information as they can,” the researchers noted.

The attacks were always executed in several stages, and through the years, the attackers have managed to make their attacks more streamlined.

Targets of the spear phishing emails included staff at the Ministry of Defense in France, in the Vatican Embassy in Iraq, military officials from a number of countries including Pakistan and, more recently, Polish government employees. They were always baited with documents on relevant subjects that, once opened, would ultimately lead to malware being installed on their systems.

This year, legitimate Polish websites, including some belonging to the government, were compromised to point to a website hosting an exploit kit that would deliver the malware. But, as mentioned before, not all visitors were targeted – only those whose system met certain criteria.

Lastly, the phishing emails that redirect victims to fake Outlook Web Access login pages were particularly effective, and have been used to target media companies, military attachés, staff at the Ministry of Defense in France and Hungary, a multinational company based in Germany, the the Organization for Security and Co-operation (OSCE) based in Austria, staff of the US State Department, and personnel of US defense contractor ACADEMI (formerly Blackwater) and US government services and information technology support provider SAIC.

For more technical details about the attacks, phishing email examples, attack chains and so forth, check out Trend Micro’s very thorough whitepaper.