Researchers uncover sophisticated cyber espionage campaign

A cyber espionage campaign against military, diplomatic and defence industry targets in the US and Europe is discovered

Hackers carried out political and economic cyber espionage attacks on military, diplomatic and defence industry targets in the US, Europe and Pakistan, security researchers have found.

The researchers at security firm Trend Micro have not publicly identified the attackers, but said the group conducted espionage using malicious spear phishing emails, phishing websites and malware.

The attack operation has been dubbed “Pawn Storm”, which refers to the attackers’ use of two or more connected tools or tactics to attack a specific target similar to the chess strategy of the same name.

The phishing attacks used a simple JavaScript trick to target Microsoft Outlook Web Access (OWA) that could be particularly dangerous to any organisation using this technology, the research report said.

The attackers used specially crafted emails to trick targets into visiting bogus OWA login pages and entering their credentials.

Analysis of six multi-stage attacks revealed the common use of Sednit or Sofacy malware, designed to collect data and send it to the attackers.

“We believe the threat actors aimed to confuse their targets’ IT administrators by making it hard for them to string attack components together, thus evading detection,” the research report said.

Spear-phishing campaign

The attacks were carried out with the aid of five spear-phishing emails with plausible subjects to trick targeted individuals into opening malicious attachments designed to compromise their systems.

The targets of these emails included the French Ministry of Defence in 2011; the Vatican embassy in Iraq in 2012; military officials in several countries in 2013; and military officials in Pakistan and Polish government officials, in 2014.

In the past couple of months, the researchers found the attackers had also started using the watering hole attack method of compromising legitimate sites commonly visited by targeted individuals.

Legitimate sites in Poland were compromised to redirect targeted visitors to a fake military contractor website, designed to infect victims’ computers with information-stealing malware.

The researchers found attackers selected targets among visitors to the compromised site by checking operating system versions, language setting, time zone and software installed.

Defend your organisation against attack

These kinds of attacks work because many companies allow employees to use webmail services to access their mailboxes while on business travel or at home, according to independent security consultant Graham Cluley.

“Once successful, attackers can gain access to compromised mailboxes that they can then use to gain a foothold in target networks,” he wrote in a blog post.

Cluley noted that these attack techniques can be used against any organisation, not just defence contractors, embassies and government departments.

All organisations should make sure their computer systems are strongly defended and patched promptly, he said, and train staff to be very careful about what files they open, what links they click on, and where they choose to enter their username and password.

Read more on Privacy and data protection