Cyber-Espionage Group Hijacked Email Accounts to Send Phishing Emails to Potential Victims

Email with SSLTLS

The Russian-linked cyber-espionage organization identified as Pawn Storm has used stolen email addresses to deliver phishing emails to possible victims, Trend Micro’s security researchers claim.

Since at least 2004, the party is often referred to as APT28, Sednit, Fancy Bear and Strontium, and claimed to be funded by the Russian GRU Intelligence Service. The adversary is alleged to have coordinated assaults on Russia, NATO, and the DNC in the run-up to the 2016 vote in the United States.

Throughout years, Pawn Storm focused on phishing to obtain exposure to networks of interest. Still, Trend Micro noticed a change in strategies, methods, and procedures (TTP) in May 2019, when the company began utilizing compromised high-profile email addresses to deliver password phishing emails.

The system was used both in 2019 and 2020, with the most abuse of email addresses belonging to military contractors in the Middle East. Many victims were found in the travel, infrastructure, and government sectors.

“The reason for the shift to the use of compromised email accounts of (mostly) defense companies in the Middle East is unclear. Pawn Storm could be attempting to evade spam filtering at the cost of making some of their successful compromises known to security companies. However, we did not notice a significant change in successful inbox deliveries of the group’s spam campaigns, making it difficult to understand the rationale behind the change in methodology,” Trend Micro notes in a new report (PDF).

Last year, the community also investigated email servers and Microsoft Exchange Autodiscover services worldwide, primarily hitting TCP port 443, IMAP ports 143 and 993, POP3 ports 110 and 995, and SMTP ports 465 and 587.

These attacks may have been targeted at finding insecure frameworks for brute-force authentication, exfiltrating addresses, and sending out spam.

Around August and November 2019, the organization attacked security forces, arms contractors, states, law firms, political parties, and colleges, as well as private schools in France and the United Kingdom, and kindergartens in Germany.

Throughout November and December 2019, attackers used the same IP address for hosting websites and testing networks with exposed 445 and 1433 ports, possibly to identify compromised servers operating Microsoft SQL Server and Directory Services.

Throughout 2017 and 2019, Pawn Storm conducted several login phishing attacks from their websites, including malware floods targeting webmail companies in the United States, Russia, and Iran, according to security analysts.

“The threat actor group has plenty of resources that allow them to run lengthy campaigns, determined in the pursuit of their targets. Their attacks, which range from compromising DNS settings and tabnabbing to creating watering holes and taking advantage of zero-days, have been nothing short of sophisticated. And as evidenced by their recent activities, we expect even more direct attacks against webmail and cloud services that don’t rely on malware,” Trend Micro concludes.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.