Trend Micro, a Japanese security company, published a report showing that the Pawn Atom / Fancy Bear cybercrime group has become increasingly aggressive in targeting political organizations and U.S. senators in the last few years.
Pawn Storm History
The first evidence of Pawn Storm’s activities was first seen in 2004, and for a decade its actions were quite stealthy. However, since Trend Micro took notice of the group in 2014, the company has published more than a dozen reports on the group’s activities.
The security company found that Pawn Storm prefers to use phishing to target political organizations and politicians and that its techniques haven’t evolved too much over the years. However, the attacks are well prepared, persistent, and difficult to defend against. Pawn Storm utilizes phishing mainly by taking advantage of known vulnerabilities that aren’t yet patched by their targets’ systems. Occasionally, it also uses zero-day software flaws.
The Pawn Storm group has been attacking political targets in France, Germany, Montenegro, Turkey, Ukraine, and the United States.
Cyber attack attribution is usually quite difficult, especially when dealing with sophisticated groups. There are many things such a group can do to hide its tracks, including impersonating other organizations, to trick or derail those investigating its attacks. However, many of the security experts looking at its attacks, as well as its targets, believe the group is tied to the Russian government.
Pawn Storm Targets U.S. Senate
Trend Micro recently discovered that the group has begun targeting the U.S. Senate internal email system, as well:
Beginning in June 2017, phishing sites were set up mimicking the ADFS (Active Directory Federation Services) of the U.S. Senate. By looking at the digital fingerprints of these phishing sites and comparing them with a large data set that spans almost five years, we can uniquely relate them to a couple of Pawn Storm incidents in 2016 and 2017.
The real ADFS server of the U.S. Senate is not reachable on the open internet, however phishing of users’ credentials on an ADFS server that is behind a firewall still makes sense. In case an actor already has a foothold in an organization after compromising one user account, credential phishing could help him get closer to high profile users of interest.
Senator Ron Wyden (D-OR), an outspoken member of the Senate Intelligence Committee, warned last spring that the Senate needs to adopt basic cybersecurity practices, such as two-factor authentication, to protect the senators and their staffs when they access sensitive government systems. Senator Wyden was also responsible for the Senate adopting Signal, the end-to-end encrypted messenger, for secure communications.