Trend Micro Reveals Phishing Campaign Targeting US Senators

Trend Micro, a Japanese security company, published a report showing that the Pawn Atom / Fancy Bear cybercrime group has become increasingly aggressive in targeting political organizations and U.S. senators in the last few years.

Pawn Storm History

The first evidence of Pawn Storm’s activities was first seen in 2004, and for a decade its actions were quite stealthy. However, since Trend Micro took notice of the group in 2014, the company has published more than a dozen reports on the group’s activities.

The security company found that Pawn Storm prefers to use phishing to target political organizations and politicians and that its techniques haven’t evolved too much over the years. However, the attacks are well prepared, persistent, and difficult to defend against. Pawn Storm utilizes phishing mainly by taking advantage of known vulnerabilities that aren’t yet patched by their targets’ systems. Occasionally, it also uses zero-day software flaws.

The Pawn Storm group has been attacking political targets in France, Germany, Montenegro, Turkey, Ukraine, and the United States.

Cyber attack attribution is usually quite difficult, especially when dealing with sophisticated groups. There are many things such a group can do to hide its tracks, including impersonating other organizations, to trick or derail those investigating its attacks. However, many of the security experts looking at its attacks, as well as its targets, believe the group is tied to the Russian government.

Pawn Storm Targets U.S. Senate

Trend Micro recently discovered that the group has begun targeting the U.S. Senate internal email system, as well:

Beginning in June 2017, phishing sites were set up mimicking the ADFS (Active Directory Federation Services) of the U.S. Senate. By looking at the digital fingerprints of these phishing sites and comparing them with a large data set that spans almost five years, we can uniquely relate them to a couple of Pawn Storm incidents in 2016 and 2017. The real ADFS server of the U.S. Senate is not reachable on the open internet, however phishing of users’ credentials on an ADFS server that is behind a firewall still makes sense. In case an actor already has a foothold in an organization after compromising one user account, credential phishing could help him get closer to high profile users of interest.

Senator Ron Wyden (D-OR), an outspoken member of the Senate Intelligence Committee, warned last spring that the Senate needs to adopt basic cybersecurity practices, such as two-factor authentication,  to protect the senators and their staffs when they access sensitive government systems. Senator Wyden was also responsible for the Senate adopting Signal, the end-to-end encrypted messenger, for secure communications.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • jojesa
    If you have seen and heard most USA politicians, then you realize that it doesn't take sophisticated groups of cyber-criminals to get them.
    Reply
  • berezini
    VV it only takes few dollars to make them do whatever you want.
    Reply
  • chicofehr
    The average age of US Senators is over 60. Not the most savvy generation when it comes to tech. Expect hacks and leaks in future.
    Reply
  • WyomingKnott
    Hey, keep that down. I'm in my late fifties and I'm a full-stack engineer at a startup. Besides, it's not the job of the senators to keep their systems secure. Doesn't Congress have infrastructure and an IT staff? End users should be responsible for things like not sending out their passwords when they get an email asking for their credentials.
    Reply