Crowdfunded Journalism

Inside Russian Cyber Espionage

J.J. Patrick photo
J.J. PatrickWorldwide
Inside Russian Cyber Espionage
Security experts expose the depth of Russian intelligence operations and how they hacked democracy.

Cyber Security experts at Trend Micro Systems have been tracking the Russian Intelligence Services cyber espionage teams for over a decade.

In one of their latest research papers, the scale of Russian penetration into Western democracy via cyber attacks leaves little doubt that we are in deep trouble and were caught looking the other way.

Referring to the Russian GRU (military intelligence) by the name Pawn Storm - also known as APT28 - Trend paints a horrifying picture which also confirms the assertions made here at Byline over many months.

"The group’s cyber propaganda methods—using electronic means to influence opinion —creates problems on multiple levels. Aside from manipulating the public, their operations also discredit political figures and disrupt the established media." 

"As we look at Pawn Storm’s operations over a two-year period," Trend analysts say, "we can see how the group has become more adept at manipulating events and public opinion through the gathering and controlled release of information. Many events—like their involvement in the Democratic National Convention hack—have been covered extensively."

"The group’s cyber propaganda methods—using electronic means to influence opinion —creates problems on multiple levels. Aside from manipulating the public, their operations also discredit political figures and disrupt the established media. The proliferation of fake news and fake news accusations in 2017 can in part be attributed to constant information leaks and manipulations by malicious actors. Media sources have already confirmed that Pawn Storm offered them exclusive peeks at high-impact information, presumably in an attempt to skew public perception on a certain topic or person," they add.

The actors, according to Trend, "often attack the same target from different sides, using multiple methods to reach their goals," and this generally relies on practiced techniques, specifically when it comes to phishing. 

"Credential phishing has been a key part of many compromises done by Pawn Storm in recent years and we were the first to describe them in detail from 2014 and onwards," Trend says.

"The actors, according to Trend, "often attack the same target from different sides, using multiple methods to reach their goals,"

After Pawn Storm breached the World Anti-Doping Agency (WADA) and the Court of Arbitration for Sport (TAS-CAS) in 2016, a group that calls themselves the “Fancy Bears’ Hack team” posted medical records of athletes on their website (security company CrowdStrike uses “Fancy Bear” to identify Pawn Storm actors). 

The hack team claimed they stood for “fair play and clean sport”, however, in reality they leaked confidential medical records that were very likely stolen by Pawn Storm. 

"This move could be meant as retaliation against the decision of WADA to block several athletes from the Olympics in Rio de Janeiro, Brazil. It could also be meant to weaken the position of WADA and influence the public opinion of doping incidents," Trend says. 

In 2015, US Army information was released on the site cyb3rc.com by a group calling itself the Cyber Caliphate. The group presented itself as pro-ISIS and suggested that they are an Islam-inspired terrorist group. In the same year, Cyber Caliphate claimed to have taken down the live broadcast of French TV station TV5 for a number of hours. Pro-ISIS messages from the group also appeared on the Twitter and Facebook accounts of TV5. 

"This was particularly painful for France, a country that was still in shock from terrorist attacks on the editors of Charlie Hebdo, a French satirical weekly magazine," Trend says, however, it was later reported that the Cyber Caliphate was actually a front of Pawn Storm. 

French magazine L’Express shared indicators with Trend which clearly connected Cyber Caliphate to Pawn Storm, which French authorities later confirmed. The motives for the TV5 attack are still unclear. 

"Of course, it is also possible that this attack was the work of undisciplined Pawn Storm actors. Though the Pawn Storm actors normally work in a professional way, there have been a few other incidents where some Pawn Storm actors showed a lack of discipline," Trend's analysts write.

"The group presented itself as pro-ISIS and suggested that they are an Islam-inspired terrorist group"

In 2016 the Democratic National Committee (DNC) was allegedly hacked by Pawn Storm. 

Stolen emails were published by WikiLeaks and a site called dcleaks[.]com, a domain very likely controlled by Pawn Storm. After the DNC hack became public, a lone hacker called Guccifer 2.0 claimed responsibility. 

He claimed to be Romanian (just like the real hacker Guccifer who was convicted in 2016 for compromising the email accounts of American business executives, political figures and celebrities), but while communicating with the press, it appeared that Guccifer 2.0 was not fluent in Romanian at all. 

A study of ThreatConnect showed that Guccifer 2.0 approached news media and offered them exclusive access to password-protected parts of the dcleaks[.]com site. This specific site actually leaks email repositories taken from mainly US Pawn Storm targets that have been victimized by the group’s advanced Gmail credential phishing campaigns. 

"We were able to collect a substantial amount of information on the Gmail credential phishing campaigns of Pawn Storm from 2014 onwards," Trend says. "This makes it very likely that Guccifer 2.0 is a creation of the Pawn Storm actor group." 

Meanwhile, WikiLeaks, which has dubbed itself a “multi-national media organization and associated library”, published emails from the DNC and the AK party of Turkish President Erdogan in 2016. 

"We know that the DNC received a wave of aggressive credential phishing attacks from Pawn Storm in March and April 2016: during the campaign, dozens of politicians, DNC staff, speech writers, data analysts, former staff of the Obama campaign, staff of the Hillary Clinton campaign, and even corporate sponsors were targeted multiple times," Trend's report states.

Pawn Storm also used phishing campaigns against the Turkish government and parliament in early 2016. This makes it highly plausible that the emails published by WikiLeaks were originally stolen by the Pawn Storm actor group. 

"We know that the DNC received a wave of aggressive credential phishing attacks from Pawn Storm in March and April 2016: during the campaign, dozens of politicians, DNC staff, speech writers, data analysts, former staff of the Obama campaign, staff of the Hillary Clinton campaign, and even corporate sponsors were targeted multiple times,"  

According to Trend, there have been instances when Pawn Storm uses mainstream media to publicize their attacks and influence public opinion. 

"When the reputable German magazine Der Spiegel reported on doping in January 2017,10 Der Spiegel wrote they were in contact with the “Fancy Bear hackers” for months and that in December 2016 they received several sets of data containing PDF and Word documents in addition to hundreds of internal emails from United States Anti-Doping Agency (USADA) and WADA, the World AntiDoping Agency,” Trend says.

This is, they claim, a clear example where Pawn Storm "successfully contacted mainstream media to influence the public opinion about a political topic."

The reports on the Democratic Congressional Campaign Committee (DCCC) being compromised, published at end of July 2016, serve as another example. 

"We discovered that the website was severely compromised more than five weeks before it became public," Trend says.

"All donations meant for dccc.org were first redirected to a site that was under Pawn Storm’s control—this means that the actors had the opportunity to compromise donors of the Democratic Party. At the time of discovery, the compromise was about a week old and still live. We disclosed the compromise to US authorities responsibly and the problem was addressed quickly. We did not publish our findings as a public report could actually benefit Pawn Storm by highlighting their capabilities and also impact the US elections. But then more than five weeks later the compromise did make headlines. Pawn Storm possibly contacted mainstream media about the compromise and, just like in other cases, offered “exclusive” access to stolen information" they add.

 "We discovered that the website was severely compromised more than five weeks before it became public," Trend says.

In April and May 2016 Pawn Storm launched phishing campaigns against the German political party Christian Democratic Union (CDU) headed by Angela Merkel, which is also around the same time the group set up phishing sites against two German free webmail providers.

"German authorities later confirmed that this attack was the work of Pawn Storm. However it is unknown if they were successful or not," Trend analysts write. 

No emails of CDU have been leaked yet, but in some instances Pawn Storm has waited for more than a year before it started to leak stolen data. 

"The timed release of information is one way a threat actor can maximize the impact of their attack against a target," Trend says.

In early 2016, Pawn Storm also set up credential phishing sites that targeted ministries of the Turkish government and the Turkish parliament. Another credential phishing site was set up to target the parliament of Montenegro in October 2016—this was likely the work of Pawn Storm as well. 

"Pawn Storm has also probably leaked stolen information via cyber-berkut[.]org," Trend says. "This is the website of an actor group posing as an activist group with a particular interest in leaking documents from the Ukraine. The exact relation between Pawn Storm and CyberBerkut is unknown, but we have credible information that CyberBerkut has published information which was stolen during Pawn Storm’s credential phishing campaigns." 

Prior to leaking the information, parts of the documents and emails were allegedly altered. The authenticity of leaked data is generally not verified, allowing threat actors to alter the stolen data to their own benefit and present it as real and unaltered. 

"By publishing carefully selected pieces of unaltered stolen data, threat actors can even more effectively influence public opinion in a way that is aligned with their interests," Trend says.

The incidents set out, according to Trend, show Pawn Storm’s interest in influencing politics in different countries and, they say, "this is not limited to the presidential elections in the US, but goes beyond that. Resourceful threat actors such as Pawn Storm can sustain long-term operations and leverage different attacks that can last for years—such as credential phishing."

"this is not limited to the presidential elections in the US, but goes beyond that. Resourceful threat actors such as Pawn Storm can sustain long-term operations and leverage different attacks that can last for years" 

The in depth report goes on to explain how the technical operations behind credential phishing - used most recently in the Westminster cyber attack - have been so effective for Pawn Storm. 

#Trend Micro, #Pawn Storm, #APT28, #Russia, #GRU, #Cyber Attack, #Spearphishing, #US Elections, #Germany, #France, #Ukraine, #Alternative War

0
0
0