For the past year one of the most notorious hacking groups known as Pawn Storm, APT28, Fancy Bear, or Sednit has been busy with scanning the internet for vulnerable email servers and Microsoft Exchange Autodiscover servers, according to a latest report from cyber-security firm Trend Micro.
The group, which has gained notoriety after aiming cyber attacks at a wide array of targets, including defense contractor personnel, embassies, and military forces of the United States and its allies, has long relied on sophisticated social engineering lures, data-stealing malware, zero-days, and private exploit kits to infect victims, but in the last year the hackers changed their approach beginning to use previously hacked email accounts to send phishing messages.
Since at least May of last year, the group has used hacked email accounts belonging to high-profile personnel working at defense firms in the Middle East to carry out the operation.
“Pawn Storm continues to deploy malware against its targets, but it has also been seen directly attacking web and cloud services instead of taking the more common route of infecting targets through spear phishing,” Trend Micro says.
“The actor connects to a dedicated server using the OpenVPN option of a commercial VPN provider and then uses compromised email credentials to send out credential spam via a commercial email service provider. The group used this scheme over an extended period in 2019 to 2020, with the most compromised email accounts belonging to defense companies in the Middle East.”
Once the hackers identify a vulnerable email server they launch brute force attacks to steal credentials, exfiltrate email data and use the compromised email accounts to send out spam messages.
According to Trend Micro, the list of organizations that had email accounts compromised by the Pawn Storm group (between August and November 2019) include armed forces, defense companies, an airport, governments, law firms, political parties, universities, private schools, and even a kindergarten.
“The threat actor group has plenty of resources that allow them to run lengthy campaigns, determined in the pursuit of their targets. Their attacks, which range from compromising DNS settings and tabnabbing to creating watering holes and taking advantage of zero-days, have been nothing short of sophisticated. And as evidenced by their recent activities, we expect even more direct attacks against webmail and cloud services that don’t rely on malware,” the researchers conclude.