Trend Micro Incorporated released its latest research report on the activity of Pawn Storm (aka APT28 and Fancy Bear), an active cyber-espionage group that targets the global defense industry and politicians, among others. Trend Micro’s researchers have found and continue to find phishing domains created in March and April connected to political campaigns in France and Germany. Konrad Adenauer Stiftung, a political organization in Germany, and Emmanuel Macron’s campaign in France have both been targeted this year.
The Pawn Storm group has been operating for years and Trend Micro first took note of their activities way back in 2004. But Pawn Storm has become increasingly relevant over the past two years, particularly because the group has been found to be doing more than espionage alone. In 2016, Pawn Storm attempted to influence public opinion, influence elections, and attempted to sway the mainstream media with stolen data. Today the impact can be felt by various industries and enterprises operating throughout the world. Even the average citizen might be impacted as Pawn Storm tries to manipulate people’s opinions about domestic and international affairs.
The research paper by Trend Micro takes a look at Pawn Storm's operations within the last two years which also has compiled data on targets and campaigns conducted by the group, as well as details on the specific attacks used to compromise victims. The paper also provides some guidelines on how to defend against this increasingly relevant threat, as well as solutions that can protect organizations from Pawn Storm's tactics.
“Our researchers have observed activity going back seven years targeting government, military, media, and political organizations around the world. In this report our researchers document the group’s shift to focus on cyber propaganda over the past two years and their 400 percent increase in targeting activity in 2016 alone,” said Ed Cabrera, Chief Cybersecurity Officer, Trend Micro.
Following the extensive headlines made in 2016 related to their impact on the U.S. election, Trend Micro’s 2017 predictions report states that cyber propaganda will become a norm. The report even references the elections in France and Germany where we now see Pawn Storm meddling.
To defend against an attacker like Pawn Storm, Trend Micro provides Trend Micro™ InterScan™ Web Security, which is a virtual appliance or a cloud-based service that protects against cyber threats at the internet gateway with Advanced Persistent Threat (APT) detection, real-time web reputation, and URL filtering. This tool blocks user access to malicious URLs that are part of elaborate phishing scams. Pawn Storm uses command-and-control (C&C) servers across multiple countries to communicate with compromised systems, relay information, and deploy their attacks. Trend Micro Deep Discovery Inspector prevents these scenarios from taking place by monitoring network traffic, C&C communications, encryption behaviors, and zero-day exploitation.
Pawn Storm compromises corporate email systems by changing their DNS settings to point to a proxy server and intercepting incoming emails. Trend Micro provides an efficient solution that organizations can rely on to safeguard enterprise email servers through Trend Micro Deep Security. Pawn Storm exploits zero-day vulnerabilities and Trend Micro identifies it through TippingPoint® Next Generation Intrusion Prevention System (NGIPS), which is a comprehensive and contextual awareness network traffic solution for advanced threats that exploit zero-day vulnerabilities.