Cyber Security experts at Trend Micro Systems have been tracking the Russian Intelligence Services cyber espionage teams for over a decade.
In one of their latest research papers, the scale of Russian penetration into Western democracy via cyber attacks leaves little doubt that we are in deep trouble and were caught looking the other way.
Referring to the Russian GRU (military intelligence) by the name Pawn Storm – also known as APT28 – Trend paints a horrifying picture which also confirms the assertions made here at Byline over many months.
“The group’s cyber propaganda methods—using electronic means to influence opinion —creates problems on multiple levels. Aside from manipulating the public, their operations also discredit political figures and disrupt the established media.”
“As we look at Pawn Storm’s operations over a two-year period,” Trend analysts say, “we can see how the group has become
more adept at manipulating events and public opinion through the gathering and controlled release of
information. Many events—like their involvement in the Democratic National Convention hack—have
been covered extensively.”
“The group’s cyber propaganda methods—using electronic means to influence
opinion —creates problems on multiple levels. Aside from manipulating the public, their operations also
discredit political figures and disrupt the established media. The proliferation of fake news and fake
news accusations in 2017 can in part be attributed to constant information leaks and manipulations by
malicious actors. Media sources have already confirmed that Pawn Storm offered them exclusive peeks at
high-impact information, presumably in an attempt to skew public perception on a certain topic or person,” they add.
The actors, according to Trend, “often attack the same target from different sides,
using multiple methods to reach their goals,” and this generally relies on practiced techniques, specifically when
it comes to phishing.
“Credential phishing has been a key part of many compromises done by Pawn Storm
in recent years and we were the first to describe them in detail from 2014 and onwards,” Trend says.
“The actors, according to Trend, “often attack the same target from different sides, using multiple methods to reach their goals,”
After Pawn Storm breached the World Anti-Doping Agency (WADA) and the Court of Arbitration for Sport
(TAS-CAS) in 2016, a group that calls themselves the “Fancy Bears’ Hack team” posted medical records
of athletes on their website (security company CrowdStrike uses “Fancy Bear” to identify Pawn Storm
actors).
The hack team claimed they stood for “fair play and clean sport”, however, in reality they leaked
confidential medical records that were very likely stolen by Pawn Storm.
“This move could be meant as
retaliation against the decision of WADA to block several athletes from the Olympics in Rio de Janeiro,
Brazil. It could also be meant to weaken the position of WADA and influence the public opinion of doping
incidents,” Trend says.
In 2015, US Army information was released on the site cyb3rc.com by a group calling itself the Cyber
Caliphate. The group presented itself as pro-ISIS and suggested that they are an Islam-inspired terrorist
group. In the same year, Cyber Caliphate claimed to have taken down the live broadcast of French TV
station TV5 for a number of hours. Pro-ISIS messages from the group also appeared on the Twitter and
Facebook accounts of TV5.
“This was particularly painful for France, a country that was still in shock from
terrorist attacks on the editors of Charlie Hebdo, a French satirical weekly magazine,” Trend says, however, it was later
reported that the Cyber Caliphate was actually a front of Pawn Storm.
French magazine L’Express shared indicators with Trend which clearly connected Cyber Caliphate to Pawn
Storm, which French authorities later confirmed. The motives for the TV5 attack are still unclear.
“Of course,
it is also possible that this attack was the work of undisciplined Pawn Storm actors. Though the Pawn
Storm actors normally work in a professional way, there have been a few other incidents where some
Pawn Storm actors showed a lack of discipline,” Trend’s analysts write.
“The group presented itself as pro-ISIS and suggested that they are an Islam-inspired terrorist group”
In 2016 the Democratic National Committee (DNC) was allegedly hacked by Pawn Storm.
Stolen emails
were published by WikiLeaks and a site called dcleaks[.]com, a domain very likely controlled by Pawn Storm.
After the DNC hack became public, a lone hacker called Guccifer 2.0 claimed responsibility.
He claimed
to be Romanian (just like the real hacker Guccifer who was convicted in 2016 for compromising the email
accounts of American business executives, political figures and celebrities), but while communicating
with the press, it appeared that Guccifer 2.0 was not fluent in Romanian at all.
A study of ThreatConnect showed that Guccifer 2.0 approached news media and offered them exclusive
access to password-protected parts of the dcleaks[.]com site. This specific site actually leaks email
repositories taken from mainly US Pawn Storm targets that have been victimized by the group’s advanced
Gmail credential phishing campaigns.
“We were able to collect a substantial amount of information on
the Gmail credential phishing campaigns of Pawn Storm from 2014 onwards,” Trend says. “This makes it very likely that Guccifer 2.0 is
a creation of the Pawn Storm actor group.”
Meanwhile, WikiLeaks, which has dubbed itself a “multi-national media organization and associated
library”, published emails from the DNC and the AK party of Turkish President Erdogan in 2016.
“We know
that the DNC received a wave of aggressive credential phishing attacks from Pawn Storm in March and
April 2016: during the campaign, dozens of politicians, DNC staff, speech writers, data analysts, former
staff of the Obama campaign, staff of the Hillary Clinton campaign, and even corporate sponsors were
targeted multiple times,” Trend’s report states.
Pawn Storm also used phishing campaigns against the Turkish government and
parliament in early 2016. This makes it highly plausible that the emails published by WikiLeaks were
originally stolen by the Pawn Storm actor group.
“We know that the DNC received a wave of aggressive credential phishing attacks from Pawn Storm in March and April 2016: during the campaign, dozens of politicians, DNC staff, speech writers, data analysts, former staff of the Obama campaign, staff of the Hillary Clinton campaign, and even corporate sponsors were targeted multiple times,”
According to Trend, there have been instances when Pawn Storm uses mainstream media to publicize their attacks and
influence public opinion.
“When the reputable German magazine Der Spiegel reported on doping in
January 2017,10 Der Spiegel wrote they were in contact with the “Fancy Bear hackers” for months and that
in December 2016 they received several sets of data containing PDF and Word documents in addition to
hundreds of internal emails from United States Anti-Doping Agency (USADA) and WADA, the World AntiDoping
Agency,” Trend says.
This is, they claim, a clear example where Pawn Storm “successfully contacted mainstream media to
influence the public opinion about a political topic.”
The reports on the Democratic Congressional Campaign Committee (DCCC) being compromised,
published at end of July 2016, serve as another example.
“We discovered that the website was severely
compromised more than five weeks before it became public,” Trend says.
“All donations meant for dccc.org were first
redirected to a site that was under Pawn Storm’s control—this means that the actors had the opportunity
to compromise donors of the Democratic Party. At the time of discovery, the compromise was about
a week old and still live. We disclosed the compromise to US authorities responsibly and the problem
was addressed quickly. We did not publish our findings as a public report could actually benefit Pawn
Storm by highlighting their capabilities and also impact the US elections. But then more than five weeks later the compromise did make headlines. Pawn Storm possibly contacted mainstream media about the compromise and, just like in other cases, offered “exclusive” access to stolen information” they add.
“We discovered that the website was severely compromised more than five weeks before it became public,” Trend says.
In April and May 2016 Pawn Storm launched phishing campaigns against the German political party
Christian Democratic Union (CDU) headed by Angela Merkel, which is also around the same time the
group set up phishing sites against two German free webmail providers.
“German authorities later
confirmed that this attack was the work of Pawn Storm. However it is unknown if they were successful or
not,” Trend analysts write.
No emails of CDU have been leaked yet, but in some instances Pawn Storm has waited for more than
a year before it started to leak stolen data.
“The timed release of information is one way a threat actor can
maximize the impact of their attack against a target,” Trend says.
In early 2016, Pawn Storm also set up credential phishing sites that targeted ministries of the Turkish
government and the Turkish parliament. Another credential phishing site was set up to target the
parliament of Montenegro in October 2016—this was likely the work of Pawn Storm as well.
“Pawn Storm has also probably leaked stolen information via cyber-berkut[.]org,” Trend says. “This is the website of an
actor group posing as an activist group with a particular interest in leaking documents from the Ukraine.
The exact relation between Pawn Storm and CyberBerkut is unknown, but we have credible information
that CyberBerkut has published information which was stolen during Pawn Storm’s credential phishing
campaigns.”
Prior to leaking the information, parts of the documents and emails were allegedly altered.
The authenticity of leaked data is generally not verified, allowing threat actors to alter the stolen data to
their own benefit and present it as real and unaltered.
“By publishing carefully selected pieces of unaltered
stolen data, threat actors can even more effectively influence public opinion in a way that is aligned with
their interests,” Trend says.
The incidents set out, according to Trend, show Pawn Storm’s interest in influencing politics in different countries and, they say, “this is not limited to the presidential elections in the US, but goes beyond that. Resourceful threat actors
such as Pawn Storm can sustain long-term operations and leverage different attacks that can last for
years—such as credential phishing.”
“this is not limited to the presidential elections in the US, but goes beyond that. Resourceful threat actors such as Pawn Storm can sustain long-term operations and leverage different attacks that can last for years”
The in depth report goes on to explain how the technical operations behind credential phishing – used most recently in the Westminster cyber attack – have been so
effective for Pawn Storm.