Probing Pawn Storm: Cyberespionage Campaign Through Scanning, Credential Phishing and More

Download Probing Pawn Storm: Cyberespionage Campaign Through Scanning, Credential Phishing and More

By Feike Hacquebord (Trend Micro Research)

Pawn Storm, an ongoing cyberespionage campaign with activities that can be traced as far back as 2004, has gained notoriety after aiming cyber-attacks at defense contractor personnel, embassies, and military forces of the United States and its allies, as well as international media and citizens across different civilian industries and sectors, among other targets.

For years, Trend Micro has been closely monitoring Pawn Storm and its various attack vectors and methodologies, which have been generally facilitated for geopolitical disruption and espionage. This newer operation has employed a number of attack methods, including the use of spear-phishing emails against high-profile targets, a staple in Pawn Storm's arsenal. Here are some of the many threats the group has wielded against its targets:

• Watering hole attacks against compromised websites frequently visited by targets
• Open Authentication (OAuth) abuse for compromising targets in advanced social engineering schemes
• Private exploit kit that included zero-days and common vulnerabilities used to infect targets
• iOS spyware specifically designed for espionage
• Tabnabbing for persuading users into submitting credentials to known (impersonated) sites

We have uncovered more information on the group's current attack methods, which primarily centered on scanning for servers and credential phishing among high-profile entities. Below we give an overview of our other notable findings from the past year.

The setup Pawn Storm frequently used to send out credential phishing spam in 2019

Since May 2019, Pawn Storm has been abusing compromised email addresses to send credential phishing spam. The majority of the compromised systems were from defense companies in the Middle East. Other targets included organizations in the transportation, utilities, and government sectors.

Pawn Storm also regularly probed many email and Microsoft Exchange Autodiscover servers across the world. The group looked for vulnerable systems in an attempt to brute force credentials, exfiltrate email data, and send out waves of spam.

The setup we used to monitor Pawn Storm's email campaigns for more than two years

Our more than two-year-long monitoring of all DNS requests for Pawn Storm's domains also enabled us to monitor and detect credential phishing campaigns that the group has facilitated from their servers from 2017 to 2019. The campaigns included spam waves against webmail providers in the United States, Russia, and Iran.

Our research, "Pawn Storm in 2019: A Year of Scanning and Credential Phishing on High-Profile Targets," covers these developments and the group's other noteworthy activities, what organizations can best do to minimize the risk of compromise across all layers, and indicators of compromise.