Hackers target military, embassy and defense workers in Operation Pawn Storm

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

A group of organised criminal hackers, possibly backed by an unknown country, are targeting government, media and military organisations in the United States, Pakistan, and across Europe, according to new research released by researchers at Trend Micro.

In an operation dubbed “Pawn Storm”, the hackers have targeted computers belonging to – amongst others – the US Department of State, defense contractors and the ministries of defence in Hungary and France, as they seek to compromise systems and steal information.

One of the main weapons in the attackers’ arsenal is the Sednit malware (also known as Sofacy), which once it has infected a Windows PC, waits for commands from its operators and scoops up information and data to send back.

As researchers at ESET described earlier this month, the targeted attacks have evolved during the course of the year from spear-phishing with boobytrapped Microsoft Word documents to watering hole attacks that use exploit kits to target unpatched versions of Internet Explorer.

Sign up to our free newsletter.
Security news, advice, and tips.

Sednit decoy doc

That’s not to say that the group involved in Operation Pawn Storm no longer believes in targeting individuals inside organisations by sending carefully-crafted emails with a suitably juicy attachment as bait.

In its research, Trend Micro catalogues the following email attacks related to the campaign:

2011: A malicious email is sent to the Ministry of Defense in France. Its attachment, “International Military.rtf” exploits a buffer overflow in versions of Microsoft Office.

2012: The Vatican Embassy in Iraq receives an email, using reports of a bombing incident the day before as a lure to open an attachment called “IDF_Spokesperson_Terror_Attack_011012.doc”, exploiting another vulnerability.

Vatican embassy attack

2013: Military officials from several countries receive a Microsoft Excel attachment, posing as a media list for the upcoming Asia-Pacific Economic Cooperation (APEC) conference in Indonesia, but that is a in reality a smokescreen to disguise the fact that computers are being infected in the background.

Media list

2014: Military officials in Pakistan received an email claiming to contain information about the Homeland Security Summit in the Middle East, but the attached Word document was again infected by malware.

2014: Polish government employees received what appeared to be a document related to the shooting down of passenger flight MH17 over Ukraine, but again was designed to infect computers with malware.

But it’s not just malware-laced email attachments in carefully-crafted messages that computer users need to be wary of.

In the last couple of months, Operation Pawn Storm has used watering holes as a method of attack – breaching legitimate websites in Poland, so that they redirected to a website posing as a military contractor site, but secretly delivering a malware payload. Ingeniously, rather than impacting every single visitor who travelled to the hacked websites, the attackers would try to only infect likely targets on their list by testing operating system version, language settings, time zone and what software was installed.

Furthermore, specially crafted emails have been sent tricking users into visiting bogus OWA (Outlook Web Access) login pages and entering their credentials.

The way in which the attackers achieved the subterfuge was quite ingenious – using two fake domains.

The first domain would have a very similar URL to a website known to potential victims, such as that belonging to an upcoming conference. The other would have a similar domain name to the site where the targeted organisation hosted its remote webmail login page via OWA.

Visiting the first domain would redirect victims to the similarly named genuine site, but not before some JavaScript executed that redirected an already open Outlook tab to a near-identical phishing page.

Users would believe they had been automatically logged out (perhaps because they had been inactive for too long), and re-enter their credentials – handing them straight to the hackers.

“Because many companies allow employees to use webmail services to access their mailboxes while on business travel or at home, these attacks are likely to succeed. Once they do, attackers can gain access to compromised mailboxes that they can then use to gain a foothold in target networks.”

In the firing line appear to be military agencies, embassy staff, and those who work in the defense industry serving the United States and its allies. Other targets included the international media, and those politicians and dissidents who oppose the Russian government.

Who might be responsible for Operation Pawn Storm is not explicitly spelt out by the researchers at Trend Micro, but it feels like you wouldn’t have to have a brain the size of a chess grandmaster to guess the direction in which they might be leaning.

Realise this – even if you aren’t involved in defense contract work, and don’t work with government agencies, your company might still be a potential target for attack.

Make sure that your computer systems are strongly defended, and patched promptly. And please train your staff to be suspicious of emails that arrive out of the blue, even if they initially appear to contain information that they might be interested in, and to always be very careful about what files they open, what links they click on, and where they choose to enter their username and password.

This article originally appeared on the Optimal Security blog.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.