Cyber Security experts at Trend Micro Systems have been tracking the Russian Intelligence Services cyber espionage teams for over a decade.

In one of their latest research papers, the scale of Russian penetration into Western democracy via cyber attacks leaves little doubt that we are in deep trouble and were caught looking the other way.

Referring to the Russian GRU (military intelligence) by the name Pawn Storm – also known as APT28 – Trend paints a horrifying picture which also confirms the assertions made here at Byline over many months.

“The group’s cyber propaganda methods—using electronic means to influence opinion —creates problems on multiple levels. Aside from manipulating the public, their operations also discredit political figures and disrupt the established media.” 

“As we look at Pawn Storm’s operations over a two-year period,” Trend analysts say, “we can see how the group has become

more adept at manipulating events and public opinion through the gathering and controlled release of

information. Many events—like their involvement in the Democratic National Convention hack—have

been covered extensively.”

“The group’s cyber propaganda methods—using electronic means to influence

opinion —creates problems on multiple levels. Aside from manipulating the public, their operations also

discredit political figures and disrupt the established media. The proliferation of fake news and fake

news accusations in 2017 can in part be attributed to constant information leaks and manipulations by

malicious actors. Media sources have already confirmed that Pawn Storm offered them exclusive peeks at

high-impact information, presumably in an attempt to skew public perception on a certain topic or person,” they add.

The actors, according to Trend, “often attack the same target from different sides,

using multiple methods to reach their goals,” and this generally relies on practiced techniques, specifically when

it comes to phishing. 

“Credential phishing has been a key part of many compromises done by Pawn Storm

in recent years and we were the first to describe them in detail from 2014 and onwards,” Trend says.

“The actors, according to Trend, “often attack the same target from different sides, using multiple methods to reach their goals,”

After Pawn Storm breached the World Anti-Doping Agency (WADA) and the Court of Arbitration for Sport

(TAS-CAS) in 2016, a group that calls themselves the “Fancy Bears’ Hack team” posted medical records

of athletes on their website (security company CrowdStrike uses “Fancy Bear” to identify Pawn Storm

actors). 

The hack team claimed they stood for “fair play and clean sport”, however, in reality they leaked

confidential medical records that were very likely stolen by Pawn Storm. 

“This move could be meant as

retaliation against the decision of WADA to block several athletes from the Olympics in Rio de Janeiro,

Brazil. It could also be meant to weaken the position of WADA and influence the public opinion of doping

incidents,” Trend says. 

In 2015, US Army information was released on the site cyb3rc.com by a group calling itself the Cyber

Caliphate. The group presented itself as pro-ISIS and suggested that they are an Islam-inspired terrorist

group. In the same year, Cyber Caliphate claimed to have taken down the live broadcast of French TV

station TV5 for a number of hours. Pro-ISIS messages from the group also appeared on the Twitter and

Facebook accounts of TV5. 

“This was particularly painful for France, a country that was still in shock from

terrorist attacks on the editors of Charlie Hebdo, a French satirical weekly magazine,” Trend says, however, it was later

reported that the Cyber Caliphate was actually a front of Pawn Storm. 

French magazine L’Express shared indicators with Trend which clearly connected Cyber Caliphate to Pawn

Storm, which French authorities later confirmed. The motives for the TV5 attack are still unclear. 

“Of course,

it is also possible that this attack was the work of undisciplined Pawn Storm actors. Though the Pawn

Storm actors normally work in a professional way, there have been a few other incidents where some

Pawn Storm actors showed a lack of discipline,” Trend’s analysts write.

“The group presented itself as pro-ISIS and suggested that they are an Islam-inspired terrorist group”

In 2016 the Democratic National Committee (DNC) was allegedly hacked by Pawn Storm. 

Stolen emails

were published by WikiLeaks and a site called dcleaks[.]com, a domain very likely controlled by Pawn Storm.

After the DNC hack became public, a lone hacker called Guccifer 2.0 claimed responsibility. 

He claimed

to be Romanian (just like the real hacker Guccifer who was convicted in 2016 for compromising the email

accounts of American business executives, political figures and celebrities), but while communicating

with the press, it appeared that Guccifer 2.0 was not fluent in Romanian at all. 

A study of ThreatConnect showed that Guccifer 2.0 approached news media and offered them exclusive

access to password-protected parts of the dcleaks[.]com site. This specific site actually leaks email

repositories taken from mainly US Pawn Storm targets that have been victimized by the group’s advanced

Gmail credential phishing campaigns. 

“We were able to collect a substantial amount of information on

the Gmail credential phishing campaigns of Pawn Storm from 2014 onwards,” Trend says. “This makes it very likely that Guccifer 2.0 is

a creation of the Pawn Storm actor group.” 

Meanwhile, WikiLeaks, which has dubbed itself a “multi-national media organization and associated

library”, published emails from the DNC and the AK party of Turkish President Erdogan in 2016. 

“We know

that the DNC received a wave of aggressive credential phishing attacks from Pawn Storm in March and

April 2016: during the campaign, dozens of politicians, DNC staff, speech writers, data analysts, former

staff of the Obama campaign, staff of the Hillary Clinton campaign, and even corporate sponsors were

targeted multiple times,” Trend’s report states.

Pawn Storm also used phishing campaigns against the Turkish government and

parliament in early 2016. This makes it highly plausible that the emails published by WikiLeaks were

originally stolen by the Pawn Storm actor group. 

“We know that the DNC received a wave of aggressive credential phishing attacks from Pawn Storm in March and April 2016: during the campaign, dozens of politicians, DNC staff, speech writers, data analysts, former staff of the Obama campaign, staff of the Hillary Clinton campaign, and even corporate sponsors were targeted multiple times,” 

According to Trend, there have been instances when Pawn Storm uses mainstream media to publicize their attacks and

influence public opinion. 

“When the reputable German magazine Der Spiegel reported on doping in

January 2017,10 Der Spiegel wrote they were in contact with the “Fancy Bear hackers” for months and that

in December 2016 they received several sets of data containing PDF and Word documents in addition to

hundreds of internal emails from United States Anti-Doping Agency (USADA) and WADA, the World AntiDoping

Agency,” Trend says.

This is, they claim, a clear example where Pawn Storm “successfully contacted mainstream media to

influence the public opinion about a political topic.”

The reports on the Democratic Congressional Campaign Committee (DCCC) being compromised,

published at end of July 2016, serve as another example. 

“We discovered that the website was severely

compromised more than five weeks before it became public,” Trend says.

“All donations meant for dccc.org were first

redirected to a site that was under Pawn Storm’s control—this means that the actors had the opportunity

to compromise donors of the Democratic Party. At the time of discovery, the compromise was about

a week old and still live. We disclosed the compromise to US authorities responsibly and the problem

was addressed quickly. We did not publish our findings as a public report could actually benefit Pawn

Storm by highlighting their capabilities and also impact the US elections. But then more than five weeks later the compromise did make headlines. Pawn Storm possibly contacted mainstream media about the compromise and, just like in other cases, offered “exclusive” access to stolen information” they add.

 “We discovered that the website was severely compromised more than five weeks before it became public,” Trend says.

In April and May 2016 Pawn Storm launched phishing campaigns against the German political party

Christian Democratic Union (CDU) headed by Angela Merkel, which is also around the same time the

group set up phishing sites against two German free webmail providers.

“German authorities later

confirmed that this attack was the work of Pawn Storm. However it is unknown if they were successful or

not,” Trend analysts write. 

No emails of CDU have been leaked yet, but in some instances Pawn Storm has waited for more than

a year before it started to leak stolen data. 

“The timed release of information is one way a threat actor can

maximize the impact of their attack against a target,” Trend says.

In early 2016, Pawn Storm also set up credential phishing sites that targeted ministries of the Turkish

government and the Turkish parliament. Another credential phishing site was set up to target the

parliament of Montenegro in October 2016—this was likely the work of Pawn Storm as well. 

“Pawn Storm has also probably leaked stolen information via cyber-berkut[.]org,” Trend says. “This is the website of an

actor group posing as an activist group with a particular interest in leaking documents from the Ukraine.

The exact relation between Pawn Storm and CyberBerkut is unknown, but we have credible information

that CyberBerkut has published information which was stolen during Pawn Storm’s credential phishing

campaigns.” 

Prior to leaking the information, parts of the documents and emails were allegedly altered.

The authenticity of leaked data is generally not verified, allowing threat actors to alter the stolen data to

their own benefit and present it as real and unaltered. 

“By publishing carefully selected pieces of unaltered

stolen data, threat actors can even more effectively influence public opinion in a way that is aligned with

their interests,” Trend says.

The incidents set out, according to Trend, show Pawn Storm’s interest in influencing politics in different countries and, they say, “this is not limited to the presidential elections in the US, but goes beyond that. Resourceful threat actors

such as Pawn Storm can sustain long-term operations and leverage different attacks that can last for

years—such as credential phishing.”

“this is not limited to the presidential elections in the US, but goes beyond that. Resourceful threat actors such as Pawn Storm can sustain long-term operations and leverage different attacks that can last for years” 

The in depth report goes on to explain how the technical operations behind credential phishing – used most recently in the Westminster cyber attack – have been so

effective for Pawn Storm.