Pawn Storm, one of the oldest APTs engaging in cyber espionage, has been spotted targeting members of the German Christian Democratic Union (CDU), the political party of German Chancellor Angela Merkel.
This shouldn’t come as a surprise, as Pawn Storm is known for targeting political targets such as the Polish government, NATO members, the US State Department, ministries of foreign affairs of a number of countries, but also Russian dissidents, media, artists, as well as a Dutch Safety Board partner in the MH17 investigation. In March, the group has targeted the Turkish government.
Taking all this into consideration, it’s obvious why Trend Micro researchers believe the group to have Russian origins.
“As per their standard MO, Pawn Storm continues to launch sophisticated attacks against entities whose views are potentially in opposition to Russia,” said Christopher Budd, global threat communications manager for Trend Micro. “In past Pawn Storm attacks, we’ve seen credential theft result in downloads of complete online inboxes, along with the establishment of secret email forwarding for continuous monitoring.”
As before, in these attacks against German politicians Pawn Storm used phishing. They set up a fake corporate webmail server imitating that of CDU on a Latvian server, and created three domains (account-web.de, account-gmx.de, and account-gmx.net) sporting fake login pages for popular free email providers Web.de and GMX.
“Pawn Storm attackers often conduct sophisticated, simultaneous attacks against targets’ corporate and personal email accounts,” noted Feike Hacquebord, Senior Threat Researcher at Trend Micro.
“It is a recurring theme in recent Pawn Storm attacks; organizations get hit from different angles simultaneously. We have seen that happening time and time again against various governments, armed forces, defense companies and media.”
The group is also known fo leveraging XAgent iOS malware to spy on targets’ activities with the help of their (compromised) mobile phones.
“Monitoring it’s recent activity, we have counted over a dozen live X-Agent Command and Control servers,” says Hacquebord, noting that this is another strong indication how active Pawn Storm is.