In an analysis conducted by Trendmicro, the recent maneuvers of an advanced persistent threat (APT) actor has been dissected, highlighting the relentless repetition of tactics and the complex interplay between seemingly unsophisticated campaigns and the concealed sophistication within.
This particular threat actor, known by aliases APT28 and Forest Blizzard, is otherwise commonly referred to as Pawn Storm. The resilience of Pawn Storm has been demonstrated over a decade-long period of continuous cyber intrusions, which cannot be dismissed.
Despite the utilization of aged phishing techniques, these campaigns, which often target hundreds of individuals simultaneously, provide an in-depth understanding of the threat actor’s evolving infrastructure and more advanced exploits hidden beneath the surface.
Moreover, from April 2022 to November 2023, Pawn Storm orchestrated extensive Net-NTLMv2 hash relay attacks, creating peaks of activity against government entities in foreign affairs, energy, defense, and transportation. The question arises as to whether this relentless assault represents a mere display of noise or a cost-efficient strategy for automating brute-force attempts that target global networks of governments and defense industries.
According to Trend Micro, Pawn Storm employs a sophisticated array of anonymization tools, including VPN services, Tor, and compromised EdgeOS routers. This cloak of anonymity extends to its spear-phishing emails, which originate from compromised email accounts accessed through Tor or VPN exit nodes. The cyber chessboard expands with the integration of free services and URL shorteners, adding layers to its elusive presence.
In March 2023, Pawn Storm exploited the critical Outlook vulnerability CVE-2023-23397. Delivered through spear-phishing emails, this flaw allowed the attacker to launch Net-NTLMv2 hash relay attacks, persistently targeting Microsoft Exchange Servers within victim organizations. This signified the evolution of the cyber chessboard, with the intricate moves of exploiting zero-day vulnerabilities.
In a revelation of subtlety, Pawn Storm deployed a streamlined information stealer in October 2022. This malicious attachment, devoid of a command-and-control server, autonomously exfiltrated data from embassies and high-profile targets. The crude exterior conceals a methodical approach, with the stolen information discreetly uploaded to free file-sharing services, evading attribution.
It is evident that Pawn Storm’s legacy extends beyond two decades, embodying both aggression and determination. Its strategic evolution, from brute-force assaults to the deployment of zero-day vulnerabilities, challenges defenders to decipher the intricate moves on this digital chessboard.
For network defenders seeking to fortify their defenses, the appendix offers an extensive list of indicators. Despite Pawn Storm’s use of shared IP addresses, the relatively slow changes in its tactics serve as a beacon for detecting the initial stages of compromise.
In conclusion, the recent analysis by Trendmicro has shed light on the persistent and evolving threat posed by Pawn Storm, prompting the need for continued vigilance and strategic defense measures to counteract its advanced cyber intrusions.