Johannesburg, 01 Jun 2020
Even though Pawn Storm continues to deploy malware against its targets, Trend Micro research shows that the notorious espionage group has been using its ample resources to begin directly attacking Web and cloud services.
This advanced persistent threat (APT) group has been active since at least 2004 and has grown in sophistication over the years. From spear-phishing e-mails to malicious iframes (code that infects Web pages), it has been targeting everyone from the defence industry and multinationals to political parties and the media. In the case of the latter, Pawn Storm has attempted to influence mainstream media and public opinion. In 2016, for example, the group approached media by offering them ‘exclusive’ information on the German political party Christian Democratic Union, the Turkish parliament, and the World Doping Agency, among others.
Last year, Pawn Storm performed daily probes on numerous e-mail servers and Microsoft Exchange Autodiscover servers around the world. It connected to several transmission control (TCP) ports related to e-mail. The probing centred on TCP port 443 as well as several others in an apparent attempt to look for vulnerable systems, brute force credentials, exfiltrate e-mail data and send out spam waves.
Trend Micro research has shown that the typical targets for Pawn Storm from August to November last year were military, government, civil aviation authorities, aeronautics companies and even private schools in France, to name a few. It is especially the military forces in South America and governments in the Middle East that fell victim to large-scale data exfiltration.
Furthermore, Pawn Storm appeared to do large-scale scans on TCP ports 445 and 1433 that were surprisingly obvious. In these instances, the group appeared to try and find vulnerable servers running Microsoft SQL Server and Directory Services especially in Europe, the United States and Asia. Africa was the least targeted continent at 2% of attacks.
Of course, this does not mean African companies and governments can afford to rest on their laurels. If anything, this could signify a quiet before the storm. Considering that the continent has been long marked as one of the next potential investment destinations, it could already be in the Pawn Storm crosshairs.
Trend Micro research highlights that this group could still be active for years to come. It uses a range of tools and tactics. Those businesses and governments serious about their cyber security must, therefore, look at an integrated perimeter-based approach to reduce the risks from any potential entry or jump-off points.
A complete approach that is cognisant of not only the IT threats into the organisation, but the human ones as well (think social engineering) is critical if data is to be defended and operations remain untouched. This is even going to be more crucial during the current lockdown many countries are experiencing. Cyber security must remain a primary focus given the wealth of resources that threat actors like Pawn Storm have access to.
Please click here to read the report.
Share