Russian Group Hacking Olympics and Governments

HackingAn organized hacking group from Russia is actively pursuing Winter Olympic Organizations and Nation States.

According to a White Paper Published by Trend Micro and updated recently, an organization called Pawn Storm has been hacking and attacking political organizations in France, Germany, Montenegro, Turkey, Ukraine, and the United States since 2015.

These hacking attacks are not technically innovative, but they are well prepared, persistent, and often hard to defend against.

The group’s attacks are not isolated incidents, and we can often relate them to earlier attacks by carefully looking at both technical indicators and motives.

This organization has a large toolset full of social engineering tricks, malware and exploits, and therefore doesn’t need much innovation apart from occasionally using their own zero-days and quickly abusing software vulnerabilities shortly after a security patch is released.

Pawn Storm has been hacking organizations via credential phishing and spear phishing attacks. Pawn Storm’s modus operandi is quite consistent over the years, with some of their technical tricks being used repeatedly.

Olympic Targets

The Group has targeted European Ice Hockey Federation, the International Ski Federation, the International Biathlon Union, the International Bobsleigh and Skeleton Federation and the International Luge Federation, among the group’s targets in the second half of 2017. Trend Micro pointed out that it is noteworthy due to the timing correlation between several Russian Olympic players being banned for life in fall, 2017.

In 2016, Pawn Storm had some success in hacking WADA (the World Anti-Doping Agency) and TAS-CAS (the Court of Arbitration for Sport). At that time, Pawn Storm sought active contact with mainstream media either directly or via proxies and had influence on what some of them published.

Political targets

In the week of the 2017 presidential elections in Iran, Pawn Storm set up a phishing site targeting chmail.ir webmail users. We were able to collect evidence that credential phishing emails were sent to chmail.ir users on May 18, 2017, just one day before the presidential elections in Iran. Trend had previously reported similar targeted activity against political organizations in France, Germany, Montenegro, Turkey, Ukraine, and the United States.

Indicators of Compromise (IoCs):

  • adfs[.]senate[.]group
  • adfs-senate[.]email
  • adfs-senate[.]services
  • senate[.]qov[.]info
  • ir[.]udelivered[.]tk
  • webmail-ibsf[.]org
  • fil-luge[.]com
  • biathlovvorld[.]com
  • mail-ibu[.]eu
  • fisski[.]ca
  • iihf[.]eu

Access the Whitepaper here

0

Leave a comment