**Go to…** **▼** **[Home » Targeted Attacks » Update on Pawn Storm: New Targets and Politically Motivated Campaigns](http://blog.trendmicro.com/trendlabs-security-intelligence/)** **Featured Stories** ## Update on Pawn Storm: New Targets and Politically Motivated systemd Vulnerability Leads to Denial of Service onLinux Campaigns **qkG Filecoder: Self-Replicating, Document-** **[Posted on: January 12, 2018](http://blog.trendmicro.com/trendlabs-security-intelligence/2018/01/)** **at 5:00** **[Posted in: Targeted Attacks](http://blog.trendmicro.com/trendlabs-security-intelligence/category/targeted_attacks/)** **Encrypting Ransomware** **am** **Author: Feike Hacquebord (Senior Threat** **Mitigating CVE-2017-5689, an Intel Management** **Researcher)** **Engine Vulnerability** **In the second half of 2017 Pawn Storm, an extremely active** **[A Closer Look at North Korea’s Internet](http://blog.trendmicro.com/trendlabs-security-intelligence/a-closer-look-at-north-koreas-internet/)** **espionage actor group, didn’t shy away from continuing their brazen** **attacks. Usually, the group’s attacks are not isolated incidents, and** **[From Cybercrime to Cyberpropaganda](http://blog.trendmicro.com/trendlabs-security-intelligence/from-cybercrime-to-cyberpropaganda/)** **we can often relate them to earlier attacks by carefully looking at** **both technical indicators and motives.** #### Security Predictions for 2018 **Pawn Storm has been attacking political organizations in France,** **Germany, Montenegro, Turkey, Ukraine, and the United States since** **2015. We saw attacks against political organizations again in the** **second half of 2017. These attacks don’t show much technical** **innovation over time, but they are well prepared, persistent, and** **often hard to defend against. Pawn Storm has a large toolset full of** **social engineering tricks, malware and exploits, and therefore doesn’t need much innovation apart from** **Attackers are banking on network** **occasionally using their own zero-days and quickly abusing software vulnerabilities shortly after a** **vulnerabilities and inherent weaknesses to** **security patch is released.** **facilitate massive malware attacks, IoT** **hacks, and operational disruptions. The** **In summer and fall of 2017, we observed Pawn Storm targeting several organizations with credential** **ever-shifting threats and increasingly** **expanding attack surface will challenge** **phishing and spear phishing attacks. Pawn Storm’s modus operandi is quite consistent over the years,** **users and enterprises to catch up with** **[with some of their technical tricks being used repeatedly. For example, tabnabbing was used against](http://blog.trendmicro.com/trendlabs-security-intelligence/operation-pawn-storm-putting-outlook-web-access-users-at-risk/)** **their security.** **Yahoo! users in August and September 2017 in US politically themed email. The method, which we first** **[Read our security predictions for 2018.](https://www.trendmicro.com/vinfo/us/security/research-and-analysis/predictions/2018)** **discussed in 2014, involves changing a browser tab to point to a phishing site after distracting the** **target.** **Business Process Compromise** **We can often closely relate current and old Pawn Storm campaigns using data that spans more than** **four years, possibly because the actors in the group follow a script when setting up an attack. This** **makes sense, as the sheer volume of their attacks requires careful administration, planning, and** **organization to succeed. The screenshots below show two typical credential phishing emails that** **targeted specific organizations in October and November 2017. One type of email is supposedly a** **message from the target’s Microsoft Exchange server about an expired password. The other says there** **is a new file on the company’s OneDrive system.** **Attackers are starting to invest in long-** **term operations that target specific** **processes enterprises rely on. They scout** **for vulnerable practices, susceptible** **systems and operational loopholes that** **they can leverage or abuse. To learn** **more, read our Security 101: Business Process** **Compromise.** #### Latest Ransomware Posts qkG Filecoder: Self-Replicating, Document-Encrypting Ransomware Bad Rabbit Ransomware Spreads via Network, Hits Ukraine and Russia A Look at Locky Ransomware’s Recent Spam Activities Magnitude Exploit Kit Now Targeting South Korea With Magniber Ransomware **_Figure 1. A sample of a credential phishing email Pawn Storm sent in October and November 2017_** #### WannaCry Ransomware Sold in the Middle Eastern and North African Underground ----- **[New Mobile Malware Uses Layered Obfuscation](http://blog.trendmicro.com/trendlabs-security-intelligence/new-mobile-malware-uses-layered-obfuscation-targets-russian-banks/)** **January’s Patch Tuesday Fixes 56 Security Issues,** **[First Kotlin-Developed Malicious App Signs Users](http://blog.trendmicro.com/trendlabs-security-intelligence/first-kotlin-developed-malicious-app-signs-users-premium-sms-services/)** **[When Speculation Is Risky: Understanding](http://blog.trendmicro.com/trendlabs-security-intelligence/speculation-risky-understanding-meltdown-spectre/)** **This infographic shows how ransomware** **has evolved, how big the problem has** **become, and ways to avoid being a** **[Digmine Cryptocurrency Miner Spreading via](http://blog.trendmicro.com/trendlabs-security-intelligence/digmine-cryptocurrency-miner-spreading-via-facebook-messenger/)** **[The Need for Better Built-in Security in IoT Devices](http://blog.trendmicro.com/trendlabs-security-intelligence/iot-devices-need-better-builtin-security/)** **[Apps Disguised as Security Tools Bombard Users](http://blog.trendmicro.com/trendlabs-security-intelligence/apps-disguised-security-tools-bombard-users-ads-track-users-location/)** **With Ads and Track Users’ Location** **Update on Pawn Storm: New Targets and Politically** **[When Speculation Is Risky: Understanding](http://blog.trendmicro.com/trendlabs-security-intelligence/speculation-risky-understanding-meltdown-spectre/)** **Security gaps in #IoT devices like** **internet-connected speakers could be** **exposing geolocation information. Read** **[twitter.com/i/web/status/9…](https://t.co/5evBW0G7KV)** **A malicious app—the first one developed** **using the #Kotlin programming language—** **found on #GooglePlay signs users up…** **Enterprises can stay safe from** **#travelhacks by keeping gateways secure.** **More cybersecurity practices here:…** **Email Subscription** **Your email here** # bb **[New Mobile Malware Uses Layered Obfuscation](http://blog.trendmicro.com/trendlabs-security-intelligence/new-mobile-malware-uses-layered-obfuscation-targets-russian-banks/)** **and Targets Russian Banks** **January’s Patch Tuesday Fixes 56 Security Issues,** **Including Meltdown and Spectre** **[First Kotlin-Developed Malicious App Signs Users](http://blog.trendmicro.com/trendlabs-security-intelligence/first-kotlin-developed-malicious-app-signs-users-premium-sms-services/)** **Up for Premium SMS Services** **[When Speculation Is Risky: Understanding](http://blog.trendmicro.com/trendlabs-security-intelligence/speculation-risky-understanding-meltdown-spectre/)** **Meltdown and Spectre** #### Ransomware 101 **_Figure 2. Second type of credential phishing email that was sent by Pawn Storm in November 2017._** **This infographic shows how ransomware** **_The logo of the target organization has been removed from the screenshot and the color was changed_** **has evolved, how big the problem has** **become, and ways to avoid being a** **_as not to reveal the source._** **ransomware victim.** **[Check the infographic](http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-101-what-it-is-and-how-it-works)** **While these emails might not seem to be advanced in nature, we’ve seen that credential loss is often** **the starting point of further attacks that include stealing sensitive data from email inboxes. We have** **worked with one of the targets, an NGO in the Netherlands targeted twice, in late October and early** **Popular Posts** **November 2017. We successfully prevented both attacks from causing any harm. In one case we were** **[Digmine Cryptocurrency Miner Spreading via](http://blog.trendmicro.com/trendlabs-security-intelligence/digmine-cryptocurrency-miner-spreading-via-facebook-messenger/)** **able to warn the target within two hours after a dedicated credential phishing site was set up. In an** **Facebook Messenger** **earlier attack, we were able to warn the organization 24 hours before the actual phishing emails were** **[The Need for Better Built-in Security in IoT Devices](http://blog.trendmicro.com/trendlabs-security-intelligence/iot-devices-need-better-builtin-security/)** **sent.** **[Apps Disguised as Security Tools Bombard Users](http://blog.trendmicro.com/trendlabs-security-intelligence/apps-disguised-security-tools-bombard-users-ads-track-users-location/)** **_Olympic Wintersports Federations_** **With Ads and Track Users’ Location** **We have seen several International Olympic Wintersport Federations, such as the European Ice** **Update on Pawn Storm: New Targets and Politically** **Hockey Federation, the International Ski Federation, the International Biathlon Union, the International** **Motivated Campaigns** **Bobsleigh and Skeleton Federation and the International Luge Federation, among the group’s targets in** **[When Speculation Is Risky: Understanding](http://blog.trendmicro.com/trendlabs-security-intelligence/speculation-risky-understanding-meltdown-spectre/)** **the second half of 2017. This is noteworthy due to the timing correlation between several Russian** **Meltdown and Spectre** **Olympic players being banned for life in fall, 2017. In 2016, Pawn Storm had some success in** **compromising WADA (the World Anti-Doping Agency) and TAS-CAS (the Court of Arbitration for Sport).** #### Latest Tweets **At that time, Pawn Storm sought active contact with mainstream media either directly or via proxies and** **had influence on what some of them published.** **Security gaps in #IoT devices like** **_Political targets_** **internet-connected speakers could be** **exposing geolocation information. Read** **[more… twitter.com/i/web/status/9…](https://t.co/5evBW0G7KV)** **In the week of the 2017 presidential elections in Iran, Pawn Storm set up a phishing site targeting** **[about 4 hours ago](http://twitter.com/TrendLabs/status/952707047371558912)** **_chmail.ir webmail users. We were able to collect evidence that credential phishing emails were sent to_** **_chmail.ir users on May 18, 2017, just one day before the presidential elections in Iran. We have_** **A malicious app—the first one developed** **using the #Kotlin programming language—** **previously reported similar targeted activity against political organizations in France, Germany,** **found on #GooglePlay signs users up…** **Montenegro, Turkey, Ukraine, and the United States.** **[twitter.com/i/web/status/9…](https://t.co/BHjoROs9iL)** **[about 13 hours ago](http://twitter.com/TrendLabs/status/952586107899842562)** **Beginning in June 2017, phishing sites were set up mimicking the ADFS (Active Directory Federation** **Services) of the U.S. Senate. By looking at the digital fingerprints of these phishing sites and comparing** **Enterprises can stay safe from** **#travelhacks by keeping gateways secure.** **them with a large data set that spans almost five years, we can uniquely relate them to a couple of** **More cybersecurity practices here:…** **Pawn Storm incidents in 2016 and 2017. The real ADFS server of the U.S. Senate is not reachable on** **[twitter.com/i/web/status/9…](https://t.co/DIXdNjzEFt)** **[about 2 days ago](http://twitter.com/TrendLabs/status/952223722978578432)** **the open internet, however phishing of users’ credentials on an ADFS server that is behind a firewall** **still makes sense. In case an actor already has a foothold in an organization after compromising one** **user account, credential phishing could help him get closer to high profile users of interest.** #### Stay Updated **_The future of politically motivated campaigns_** **Rogue political influence campaigns are not likely to go away in the near future. Political organizations** **Email Subscription** **have to be able to communicate openly with their voters, the press and the general public. This makes** **Your email here** **them vulnerable to hacking and spear phishing. On top of that, it’s also relatively easy to influence** **public opinion via social media. Social media platforms continue to form a substantial part of users’** **online experience, and they let advertisers reach consumers with their message.** **This makes social media algorithms susceptible to abuse by various actors with bad intentions.** **Publishing stolen data together with spreading fake news and rumors on social media gives malicious** **actors powerful tools. While a successful influence campaign might seem relatively easy to do, it needs** **a lot of planning, persistence, and resources to be successful. Some of the basic tools and services,** **like ones used to spread fake news on social media, are already being offered as a service in the** **underground economy.** ----- **digging deeper into C Major’s activities, we found that this actor group not only attacks the Indian** **military, but also has dedicated botnets for compromised targets in Iranian universities, Afghanistan,** **and Pakistan. Recently, we have witnessed C Major also showing some interest in compromising** **military and diplomatic targets in the West. It is only a matter of time before actors like C Major begin** **attempting to influence public opinion in foreign countries, as well.** **With the Olympics and several significant global elections taking place in 2018, we can be sure Pawn** **Storm’s activities will continue. We at Trend Micro will keep monitoring their targeted activities, as well** **as activities of similar actors, as cyberpropaganda and digital extortion remain in use.** **_Indicators of Compromise (IoCs):_** **adfs[.]senate[.]group** **adfs-senate[.]email** **adfs-senate[.]services** **adfs.senate[.]qov[.]info** **chmail.ir[.]udelivered[.]tk** **webmail-ibsf[.]org** **fil-luge[.]com** **biathlovvorld[.]com** **mail-ibu[.]eu** **fisski[.]ca** **iihf[.]eu** ### Related Posts: **[Pawn Storm Abuses Open Authentication in Advanced Social Engineering Attacks](http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-abuses-open-authentication-advanced-social-engineering-attacks/)** **November’s Patch Tuesday Includes Defense in Depth Update for Attacks Abusing** **Dynamic Data Exchange** **[Following the Trail of BlackTech’s Cyber Espionage Campaigns](http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/)** **[Locky Ransomware Pushed Alongside FakeGlobe in Upgraded Spam Campaigns](http://blog.trendmicro.com/trendlabs-security-intelligence/locky-ransomware-pushed-alongside-fakeglobe-upgraded-spam-campaigns/)** **Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:** **[ENTERPRISE](http://www.trendmicro.com/us/security-intelligence/enterprise-ransomware/index.html)** **»** **[SMALL BUSINESS](http://www.trendmicro.com/us/security-intelligence/small-business-ransomware/index.html)** **»** **[HOME](http://www.trendmicro.com/us/home/consumer-ransomware/index.html)** **»** **Tags:** **[Operation Pawn Storm](http://blog.trendmicro.com/trendlabs-security-intelligence/tag/operation-pawn-storm/)** **[Pawn Storm](http://blog.trendmicro.com/trendlabs-security-intelligence/tag/pawn-storm/)** ----- **[HOME AND HOME OFFICE](http://www.trendmicro.com/us/home/index.html)** **|** **[FOR BUSINESS](http://www.trendmicro.com/us/business/index.html)** **|** **[SECURITY INTELLIGENCE](http://www.trendmicro.com/us/security-intelligence/index.html)** **|** **[ABOUT TREND MICRO](http://www.trendmicro.com/us/about-us/index.html)** **[Asia Pacific Region (APAC): Australia / New Zealand, ��, ��, 대한민국](http://www.trendmicro.com.au/au/home/index.html)** **[, ��](http://tw.trendmicro.com/tw/home/index.html)** **[Latin America Region (LAR): Brasil, México](http://br.trendmicro.com/br/home/index.html)** **[North America Region (NABU): United States, Canada](http://www.trendmicro.com/us/index.html)** **[Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland](http://www.trendmicro.fr/)** **[Privacy Statement](http://www.trendmicro.com/us/about-us/legal-policies/privacy-statement/index.html)** **[Legal Policies](http://www.trendmicro.com/us/about-us/legal-policies/index.html)** **Copyright © 2018 Trend Micro Incorporated. All rights reserved.** -----