Pawn Storm targets fresh victims to sway public political opinion

The sophisticated attackers are putting more and more pressure on the military, governments, celebrities, and media worldwide.
Written by Charlie Osborne, Contributing Writer

VIDEO: With key elections coming up, Pawn Storm hackers are stepping up attacks

Hacktivist operation Pawn Storm is actively attacking groups with the ability to turn the tide of public opinion in the hot political climate -- and new targets are on the horizon.

Operation Pawn Storm is an ongoing campaign against military and government agencies, embassies, defense contractors, media, and political personalities and celebrities across the world.

The group has been responsible for attacks against US targets as well as the country's allies, such as institutions involved in the North Atlantic Treaty Organization (NATO).

It is believed the group has political roots in Russia as opposing factions and Russian dissidents have also found themselves on the attack list, alongside high-profile political figures in Ukraine.

Pawn Storm, which has become "very aggressive and ambitious" in recent years according to researchers from Trend Micro, has emerged to launch campaigns against a fresh set of German and French political targets.

According to a new report on the threat actors, released on Tuesday by Trend Micro, political foundation and think tank Konrad-Adenauer-Stiftung (KAS) -- which provides education, training, and scholarships on democratic principles and political thought -- as well as entities linked to Emmanuel Macron's campaign to become the next French president are both now on the espionage group's attack list.

"Even average citizens of different countries might be affected as Pawn Storm tries to manipulate people's opinions about domestic and international affairs," Trend Micro says. "The attacks of Pawn Storm may even serve as an example for other actors, who could copy tactics and repurpose them to fit their own objectives."

Pawn Storm, also known as Fancy Bear, has been connected to the 2016 data breaches at the World Anti-Doping Agency (WADA) and the Court of Arbitration for Sport (TAS-CAS), the leak of US Army information in 2015 by a group calling itself the Cyber Caliphate -- believed to be just a front for Pawn Storm -- and taking control of the live broadcast of a French television station for hours before spreading pro-ISIS messages on the TV5 network's social media channels only weeks after the terrorism attack on French satirical magazine Charlie Hebdo.

The group has also been linked to an alleged attack against the Democratic National Committee (DNC).

See also: 5 mobile security precautions nobody should ignore (TechRepublic)

Trend Micro believes that confidential emails from the DNC and AK party of Turkish president Erdogan published by Wikileaks in 2016 may have also been stolen and leaked by the threat actors.

In addition to what the researchers call "manipulating the public" through the release of sensitive documents at the "right" political time to the media, spreading fake news and rumors and social engineering to spy on political figures, Pawn Storm also uses a variety of techniques to persistently spy on government and military groups.

Among the tactics Pawn Storm utilizes are sophisticate malware and exploit kits, zero-days, and credential phishing, with the latter considered the group's main area of expertise. Once victims are lured into handing over their credentials by accidentally downloading and executing malware or visiting malicious websites, the group may wait "up to a year" before releasing stolen files at the time they would do the most damage.

Credential phishing is a favored tactic of Pawn Storm, having been used to access accounts owned by journalists, politicians, software developers, university researchers, and even artists in Russia and beyond.

In order to grab the attention of victims in the current political climate, phishing emails will often contain headlines such as "Pro-Russian rebels launch new offensive," "News: Yemen air strikes kill 23 in factory: residents," and "What does Russia's President Putin really want?."

The group also uses "tabnabbing," a way to change a URL in an open browser tab to a phishing site using JavaScript. The trick is used to make users believe the phishing page is a legitimate domain and when the page shows a message claiming that credentials have to be reentered due to inactivity, it is hoped the victim then complies and hands over their account information.

"Normal cybercriminals often don't like media attention and even suspend their activities temporarily when their actions are discovered and written about," the researchers note. "Pawn Storm doesn't slow down at all. On the contrary: a lot has been written about Pawn Storm since fall of 2014, and their activities have only grown, both in aggressiveness and number."

10 things you didn't know about the Dark Web

Russia's Fancy Bear hackers steal athletes' medical records again:

Editorial standards