All eyes are on Russia after the gang behind the notorious Pawn Storm APT campaign turned its sights onto Turkish government and media targets in a bid to lift sensitive information which could be useful geopolitically.
Trend Micro has been following the gang for years and revealed in a blog post that it managed to provide some early warning to the Turkish authorities which helped them mitigate any potential damage.
Several government offices including the office of the prime minister, the Turkish parliament and one of the country’s largest newspapers, Hürriyet, were hit by a string of attacks in January and February.
The target list indicates that the hackers were after political information. In a typical Pawn Storm move, fake Outlook Web Access (OWA) servers were set up for those specific targets in a bid to phish credentials and steal sensitive info.
“Many of these targets share a common trait: that they could be perceived as a threat to Russian politics in some way or form,” explained Trend Micro senior threat researcher, Feike Hacquebord.
“We believe that these attacks against Turkey were related to previous Pawn Storm-related incidents in summer and fall 2015, which targeted Syrian opposition and about all of the Arab countries that voiced criticism about Russia’s interventions in Syria.”
As for the driver for this particular set of attacks – it could be related to disagreements with Russia over a number of issues including the shooting down of a Russian plane over Syria last year by Turkish Air Force, he argued.
Other factors could include internal disputes with Kurdish groups inside Turkey, or the huge influx of refugees trying to enter Europe via Turkey, Hacquebord speculated.
A bulletproof hoster in the Netherlands looks a likely culprit in helping provide the infrastructure needed to carry out these attacks, Trend Micro concluded.
“They seem to have found a cozy home at a VPS provider with a postal address in the United Arab Emirates and servers in a datacenter in the Netherlands,” Hacquebord claimed. “This isn’t the first time Pawn Storm has used this particular VPS provider.”
Although Pawn Storm has been linked to the Kremlin in the past – with attacks on US defense firms, NATO and Ukrainian government targets, and even the White House – 100% attribution is always difficult.
However, the group – also known as ‘Sednit’ or APT 28 – would appear to be a well-resourced and relatively sophisticated operation, which increased its activity ten-fold over 2015.
Back in July 2015 it was responsible for the first Java zero-day threat spotted since 2013.