Not Surprisingly, Russian-Linked APT Adds Turkey to Its List of Targets

Security researchers from US cyber-security firm Trend Micro are reporting that the Pawn Storm cyber-espionage group has shifted some of its hacking operations and are now targeting high-ranking Turkish officials.

The Pawn Storm group, also known as APT28, Sofacy, Fancy Bear, Sednit, or Strontium, is a so-called APT, an Advanced Persistent Threat, a term used to describe cyber-crime or cyber-espionage hacking groups that activate only against a very limited, but high-valuable targets, either governments or large corporations.

Pawn Storm group coincidentally targets Russia’s enemies

This group is one of the most active and dangerous APT around, and in the past has been linked with attacks against NATO military bases, the White House, the Polish government, various Syrian groups involved in the local civil war, and even the Dutch agency that investigated the crash of flight MH17.

As you can probably tell on your own, most of these targets are groups and organizations that have criticized Russia or are classic enemies of the Russian state.

With many cyber-security vendors saying that Pawn Storm may be backed by the Russian government, from whom the hackers are taking their orders, it makes perfect sense for Pawn Storm hackers to target Turkish targets.

With tensions between the two countries at an all-time high and still escalating, Russia may be looking to acquire new information on a potential threat.

Pawn Storm attacks many Turkish government targets

According to Trend Micro, this is what happened, and since mid-January 2016, the Pawn Storm group has been seen setting up fake Outlook Web Access (OWA) servers, which they have been using as part of spear-phishing campaigns, trying to acquire login credentials for sensitive backends and platforms.

Trend Micro says that it has seen attacks which employed these fake OWA servers against the Directorate General of Press and Information of the Turkish government, the Grand National Assembly (Parliament) of Turkey, and the office of the prime minister of Turkey.

Additionally, besides the aforementioned Turkish government targets, Pawn Storm hackers have also targeted the employees of Turkish newspaper Hürriyet, in three separate attacks.

Security researchers say they were able to detect the attacks in time and have alerted Turkish authorities of the danger.

Trend Micro is certain that Pawn Storm is behind the attacks

They are also certain that Pawn Storm is behind these incidents because the fake OWA servers were hosted via a bulletproof VPS provider which the APT has used numerous times in past attacks.

This VPS is registered in the United Arab Emirates but keeps its servers in a secure data center in the Netherlands, which refuses to take them down.

The same VPS and data center have also been used by many other cyber-crime groups in the past, and it’s starting to become a nuisance for many security vendors and law enforcement authorities.

As for Russia’s aversion towards Turkey, Nexusguard, a company that provides DDoS mitigation services, also said it started seeing a massive increase in DDoS attacks against Turkish infrastructure that started around the same time when Turkish-Russian relations escalated. While Anonymous may be behind some of these attacks, the rest are attributed to Russian hackers, even if not all are state-backed actors.


About Author