The Pawn Storm cyber espionage group has targeted government offices and one of the largest newspapers of Turkey earlier in 2016, researchers at Trend Micro said March 9.
The company identified fake Outlook Web Access (OWS) servers meant for phishing attacks from January to February 2016. The targets include the office of the prime minister of Turkey (Başbakanlık), the Directorate General of Press and Information of the Turkish government, the Grand National Assembly of Turkey (Türkiye Büyük Millet Meclisi), and the Turkish newspaper Hürriyet.
Trend Micro highlighted that many targets of Pawn Storm could be perceived as some form of threat to Russia or Russian politics. The group has been known to target NATO and its member states; U.S. government, military, and media entities; government, military, and media entities of U.S. allies, Russian political dissidents or opponents of the Kremlin; Ukrainian activists, media, military, and government; and governments in Europe, Asia, and the Middle East generally.
The company provided Turkey with early warning of the attacks, helping to mitigate any potential damage if unnoticed, Trend Micro said. The company added there are several reasons why the group would target Turkey including disagreements with Russia over issues including the Turkish shootdown of a Russian jet at the Syrian border in November, internal disputes with Kurdish groups within Turkey’s borders, and refugee flows crossing Turkey to get into Europe.
“Taken together, it’s no surprise that a campaign like Pawn Storm would add Turkey to its list of targets,” Feike Hacquebord, senior threat researcher, said on the company’s TrendLabs Security Intelligence Blog.
Hacquebord highlighted Pawn Storm may be pursuing political and media information in Turkey considering the Turkish parliament was attacked as well as at least two fake OWA servers set up to target the newspaper.
Pawn Storm is differentiated from other politically-inclined actors because of its methods, Trend Micro said in a January 2016 article. This includes using spear-phishing email baiting with geopolitical material leading to SEDNIT malware, creating the fake OWA login pages to steal login credentials, exploits several specific vulnerabilities, and creating and using an iOS malware app to steal various types of information an Apple [APPL] iPhone contains.
Pawn Storm’s network infrastructure in the Turkey attack was based in the Netherlands.
“They seem to have found a cozy home at a VPS provider with a postal address in the United Arab Emirates and servers in a datacenter in the Netherlands,” Hacquebord said.
That particular VPS provider has been the base of dozens of Pawn Storm attacks in 2015 and 2016 along with other groups like DustySky and Carbanak. The VPS provider was also previously used by a threat actor that targeted users of one of the largest Russian banks.
TrendMicro said this makes that VPS look like a bulletproof hosting service – a hardware, software, or application-based hosting facility that can store any type of content and executable code like a regular hosting service but features malicious content.