As per Trend Micro’s research, since May 2019, a Russian state-sponsored notorious cyber espionage threat group called Pawn Storm (also known as Fancy Bear or APT28) has been scanning servers for reusing previously compromised emails. The compromised email addresses are used to carry out phishing campaigns, targeted mainly at defense firms from the Middle East with an intent of cyber espionage.
Although defense companies in the Middle East have been the primary targets, its operators have equally targeted other verticals including transportation, utilities, and government sectors of various countries like the U.S., Ukraine and Iran. The researchers said that APT28 has been scanning email and Microsoft Exchange Autodiscover servers for vulnerabilities, which could be brute forced and used for data exfiltration and phishing attacks. The operators are using the OpenVPN configuration of commercial VPN providers to hide their trails.
A Brief History of APT28
The threat group’s initial activities can be traced back to 2004. APT28 has been widely known to carry out cyber espionage campaigns against high-profile entities ranging from economic and political institutions, to media and government organizations. Since its inception, it has targeted the military, embassies, and defense contractors from the U.S. and its allies, including world bodies such as North Atlantic Treaty Organization (NATO).
APT28’s Attack Vectors
As per primary research carried out earlier, APT28 threat group primarily uses three attack vectors, they are:
- Phishing Emails: The operators use a malicious spear phishing email to drop a multistage malware that fetches the victim’s system information. These campaigns are usually run keeping the geopolitical issues or upcoming events and conferences in mind to potentially increase the hit ratio.
- Phishing Website: Additionally, the threat actors have also created several phishing websites and fake Outlook Web Access (OWA) pages using typo-squatted URLs. Entering user credentials on such malicious websites or webpages leads to credential phishing.
- Malicious iframes: This third vector was explicitly observed being injected into Polish Government websites. For selective targets, the malicious iframe exploits led to Sednit installations as well.