Cyber security firm Trend Micro released a report on Tuesday about the activities of one of the two malicious cyber actors that hacked into Democratic Party computer systems in the 2016 U.S. election.

Two Years of Pawn Storm: Examining an Increasingly Relevant Threat,” looks at the past two years of activities of the group known alternatively as Pawn Storm, APT28, Fancy Bear, Sednit, Sofacy, and STRONTIUM. Although the group’s activities are reportedly traced back to 2004, it has become much better known in the last several years.

Trend Micro Pawn Storm report 4-17

Trend Micro said the last two years’ worth of operations show how this hacker group has moved from espionage into attempting to influence public opinion. The report examined the facts the company has compiled and the kinds of attacks Pawn Storm is using.

Trend Micro primarily found that the hacker group’s main motives appear to be foreign and domestic espionage as well as influencing geopolitics. Its targets included armed forces, the defense industry, news media, politicians, and particularly opponents of the Russian government.

Pawn Storm made a large impact when in 2016 it attacked the U.S. Democratic National Committee (DNC) systems, the German political party the Christian Democratic Union, German Chancellor Angela Merkel’s party, the Turkish parliament, the Montenegro parliament, and the World Doping Agency (WADA). Data the group stole from the DNC and WADA were later released publicly and sometimes altered with specific timing meant to harm the targeted organizations, Trend Micro said.

“As we look at Pawn Storm’s operations over a two-year period, we can see how the group has become more adept at manipulating events and public opinion through the gathering and controlled release of information,” the report said.

The company highlighted that media sources have verified Pawn Storm approached them indirectly or directly with an offer of exclusive information.  Some media agreed to work with the sources and “this shows that Pawn Storm—also well-known for their attempts to compromise various media organizations and journalists—has had some success with getting mainstream media to publish articles that might help their objectives,” Trend Micro said.

The report highlighted that victims of the hackers using credential phishing often included opponents of Russian policies, foreign embassies in Moscow, and Russian citizens, including journalists, researchers, and artists. Trend Micro said this kind of espionage tool can be used to gain data over long periods of time, use compromised accounts to further penetrate a network, leak sensitive emails and information to harm the target, and domestic espionage.

The report includes a three-page list of phishing campaign targets including the campaign of French presidential candidate Emmanuel Macron.

However, cyber firm ThreatConnect expressed skepticism that Pawn Storm/Fancy Bear is the group targeting the Macron campaign.

While the identified attack activity has consistency with previously identified attacks by the group, “we lack information on the phishing messages, other attack vectors, credential harvesting pages, and any malware used in this campaign that would give us greater confidence in attributing these to Fancy Bear or another adversary,” the company said in a blog post Wednesday.

threatconnect logo cyber

ThreatConnect also said given the amount of attention these attack patterns are getting, it is possible another adversary is merely using the same techniques.

“If Fancy Bear is sniffing around Macron’s campaign, we would expect them to try additional avenues to gain access even if operations leveraging the spoofed domains identified in this report were unsuccessful”

The Trend Micro report also described how Pawn Storm used additional infiltration tactics like tabnabbing and compromising DNS settings. The report ends by describing guidelines on how to defend against the group and solutions to protect organizations from these specific tactics.

“This closer look at the activities, operational capacity, and tactics of Pawn Storm gives a comprehensive picture of the group’s real motives and capabilities. With a clear understanding of the trends that Pawn Storm is following, along with their history and past operations, hopefully potential victims and targets can properly address this threat,” the Trend Micro report said.

However, “Protecting yourself against an attacker like Pawn Storm is a challenge,” it said. “They have resources that allow them to run lengthy campaigns over years, and seem to be single-minded in their pursuit of their targets. We’ve seen how the group’s credential phishing tactics work to ensnare even the most savvy webmail users, and how sophisticated their attacks look.”