Russian state-sponsored hackers linked to attacks on the White House and NATO members in the past have been caught targeting the investigation team behind downed airliner MH17.
The Dutch Safety Board (Onderzoeksraad) was the victim of a “coordinated attack from several sides” carried out by hacking group APT28, aka Pawn Storm, according to Trend Micro.
The security giant’s senior threat researcher, Feike Hacquebord, claimed in a blog post that a fake VPN server and a fake SFTP server had been set up to ape those run by the Dutch Safety Board.
“It is very likely these were used for credential phishing attacks against personnel of the Safety Board in order to get unauthorized access to both the SFTP and the VPN server,” he wrote.
In fact, the discovery is likely to signal the first time an advanced threat group has been caught attempting to get unauthorized access to a VPN server.
“The VPN server of the Safety Board looks to use temporary tokens for authentication,” explained Hacquebord.
“However, these tokens can be phished in a straightforward way and tokens alone do not protect against one-time unauthorized access by third parties, once the target falls for the phishing attack.”
The attacks took place both before and after the date the Board published its findings into the MH17 crash—13 October.
However, the attacks weren’t limited to the Dutch investigation team alone, according to Trend Micro.
On 29 September a fake Outlook Web Access (OWA) server was set up to try and snare a partner of the Onderzoeksraad, although Trend Micro was able to notify the affected party early on.
Pawn Storm is well known for its long running campaign against a range of targets, which include the White House, NATO, US defense firms and various political activists and politicians inside Russia.
It’s particularly noted for researching ingenious zero day vulnerabilities—including a flaw in Java which was the first zero day to be discovered in the software in two years, and a new Adobe Flash bug which was recently patched.