Pawn Storm, one of the most notorious global hacking groups, has been relying on increasingly sophisticated techniques to compromise organisational defences.

By Indi Siriniwasa, vice-president of Trend Micro Sub-Saharan Africa

From spear-phishing emails to malware focused on Web and cloud services, Trend Micro research has highlighted the mechanics behind some of Pawn Storm’s most recent attacks.

This new data revolves around the group’s credential phishing, direct probing of Web mail and Microsoft Exchange Autodiscover servers, and large-scale scanning activities to search for vulnerable servers. Amongst its most prominent targets in 2019 were members of defence companies, embassies, governments, and the military.

Tip of the spear

Given the current global crisis, it is anticipated that Pawn Storm will likely continue with this line of attack for the foreseeable future. It is especially on the spear-phishing side where the group has used hacked email addresses of high-profile targets to send credential spam messages that is cause for concern. Throughout the year, Pawn Storm attackers were probing for the network ports of exposed email services and then using those services to brute force credentials.

While phishing and spear phishing share similar techniques, they are not to be confused. Phishing is a generally exploratory attack that targets a broader audience, while spear phishing is a targeted version of phishing. In spear phishing, the successful theft of credentials or personal information is often only the beginning of the attack.

The information is used to gain access to a network that could ultimately lead to a targeted attack. Imagine how much damage Pawn Storm could do by having access to the credentials of a C-suite executive at a utility supplier or a government health department.

Even though defence companies in the Middle East have been the primary targets, Pawn Storm also set its sights on transport, utilities, and government sectors of countries such as the US, Ukraine, and Iran.

New ways

Granted, Pawn Storm still relies on malware and zero-day attacks, the shift last year to scanning for vulnerable email servers is new. The group could be attempting to evade filtering at the cost of making some of their successful compromises known to security companies.

However, the research did not reflect a significant change in successful inbox deliveries of the group’s spam campaigns. This makes the rationale for the change in focus a difficult one to understand.

Additionally, the research found that Pawn Storm relied on using the OpenVPN option of commercial VPN service providers to connect to a dedicated host that sends out spam. The dedicated spam-sending servers used specific domain names in the EHLO command of the SMTP sessions with the targets’ mail servers.

But while the group’s techniques might change, the history of Pawn Storm shows that it has significant resources at its disposal to pivot wherever needed. Furthermore, once the group has set its sights on a target, its ability to engage in lengthy campaigns to identify and exploit compromises, means no organisation or government entity can consider itself safe.

Ultimately, decision-makers must secure their defences by taking an integrated approach to all access points across the perimeter. Employee education especially around identifying phishing (and spear-phishing) attacks are a core component of this.