Pawn Storm (also APT28 or Forest Blizzard) is a group of APT actors characterized by persistent repetition in their tactics, techniques and procedures (TTPs).
The group is known for still using its decade-old phishing email campaigns targeting high-value targets around the world. Although campaign methods and infrastructure gradually change over time, they still provide valuable information about Pawn Storm's infrastructure, including those used in more advanced campaigns.
Trend Micro tracked Pawn Storm's activities between April 2022 and November 2023: During this time, Pawn Storm tried to launch NTLMv2 hash relay attacks using various methods. Recipients of the malicious spear phishing campaigns include foreign policy, energy, defense and transportation organizations. The group also targeted organizations dealing with labor, social welfare, finance and parenting, and even local city governments, a central bank, courts and the fire department of a country's military branch.
Sophisticated attacks
The apparent lack of sophistication does not necessarily mean that the perpetrators are not successful or that the campaigns are not sophisticated. On the contrary, there is clear evidence that Pawn Storm has compromised thousands of email accounts over time, with some of these seemingly repetitive attacks being cleverly designed and disguised. Some also use sophisticated TTPs. The “noise” of repetitive, often heavy-handed and aggressive campaigns drowns out the silence, subtlety and complexity of the initial intrusion, as well as the post-exploitation actions that may take place once the intruders gain a foothold in victims' organizations
Feike Hacquebord, Senior Threat Researcher at Trend Micro, classifies the group's activities: Pawn Storm launched a phishing campaign against various governments in Europe from November 29th to December 11th, 2023. We can associate this campaign with some of the Net-NTLMv2 hash relay campaigns using technical indicators. For example, the same computer name was used in both campaigns. It was also used to send spear phishing emails and create LNK files used in some of the Net-NTLMv2 hash relay campaigns.
More at TrendMicro.com
About Trend Micro As one of the world's leading providers of IT security, Trend Micro helps create a secure world for digital data exchange. With over 30 years of security expertise, global threat research, and constant innovation, Trend Micro offers protection for businesses, government agencies, and consumers. Thanks to our XGen™ security strategy, our solutions benefit from a cross-generational combination of defense techniques optimized for leading-edge environments. Networked threat information enables better and faster protection. Optimized for cloud workloads, endpoints, email, the IIoT and networks, our connected solutions provide centralized visibility across the entire enterprise for faster threat detection and response.
Matching articles on the topic