Russian APT28 Group Changes Tack to Probe Email Servers

Written by

The infamous Russian threat group known as APT28 or Pawn Storm has spent the past year scanning for vulnerable email, Microsoft SQL Server and Directory Services servers, in what appears to be something of a change in tactics.

The APT group, also known as Sednit, Sofacy and Strontium, has been responsible for some of the most explosive cyber-espionage campaigns of recent years, stealing sensitive information from the Democratic National Committee (DNC) that Hillary Clinton has claimed helped Donald Trump to power.

In line with the wishes of its Kremlin masters, the group also hacked the world anti-doping agency (WADA) multiple times after a massive state-sponsored doping scheme came to light.

The group commonly favors spear-phishing and malware to infiltrate targeted organizations. However, Trend Micro claimed in a new report on Thursday that it has spent much of 2019 scanning port 443 for exposed email servers and Microsoft Exchange Autodiscover servers across the globe.

After finding vulnerable systems, the group looked to brute force credentials, exfiltrate email data and send out more spam waves, according to the report.

On the receiving end were traditional APT28 targets such military and defense organizations, governments, law firms, political parties and universities, but also more unusual ones such as private schools in France and the UK, and even a kindergarten in Germany.

The group also scanned for TCP ports 445 and 1433 to find vulnerable global servers running Microsoft SQL Server and Directory Services, Trend Micro revealed.

Another tactic deployed last year was to use the previously compromised email accounts of high-profile targets to send out phishing emails to their contacts. Defense companies in the Middle East were the main targets.

It’s unclear why the group changed tact in this way: Trend Micro suggests it could be an attempt to evade spam filters. However, the vendor said these tactics failed to result in significantly more inbox deliveries.

What’s hot on Infosecurity Magazine?