The Russia connectionRussian hackers who hacked DNC are now targeting U.S. Senate: Experts

Published 12 January 2018

Russian hackers from the group known as “Fancy Bear” are targeting the U.S. Senate with a new espionage campaign, according to cybersecurity firm TrendMicro. Fancy Bear was one of the Russian government’s hacking groups employed by the Kremlin in 2016 to help Donald Trump win the presidency, and TrendMicro analysts say the group has spent the past few months laying the groundwork for an espionage campaign against the U.S. Senate. Analysts say that the group’s efforts to gather the emails of America’s political elite suggest that the Kremlin plans to continue to interfere in the American political process.

In a report cybersecurity firm TrendMicro posted on its website Friday, Feike Hacquebord, a senior threat researcher at the firm, says that in the second half of 2017 Pawn Storm, an extremely active espionage actor group, did not shy away from continuing their brazen attacks. Usually, the group’s attacks are not isolated incidents, and TrendMicro can often relate them to earlier attacks by carefully looking at both technical indicators and motives.

Pawn Storm has been attacking political organizations in France, Germany, Montenegro, Turkey, Ukraine, and the United States since 2015. TrendMicro saw attacks against political organizations again in the second half of 2017. These attacks do not show much technical innovation over time, but they are well prepared, persistent, and often hard to defend against. Pawn Storm has a large toolset full of social engineering tricks, malware and exploits, and therefore does not need much innovation apart from occasionally using their own zero-days and quickly abusing software vulnerabilities shortly after a security patch is released.

In summer and fall of 2017, TrendMicro observed Pawn Storm targeting several organizations with credential phishing and spear phishing attacks. Pawn Storm’s modus operandi is quite consistent over the years, with some of their technical tricks being used repeatedly. For example, tabnabbing was used against Yahoo! users in August and September 2017 in U.S. politically themed email. The method, which TrendMicro first discussed in 2014, involves changing a browser tab to point to a phishing site after distracting the target.

Hacquebord notes that TrendMicro can often closely relate current and old Pawn Storm campaigns using data that spans more than four years, possibly because the actors in the group follow a script when setting up an attack. This makes sense, as the sheer volume of their attacks requires careful administration, planning, and organization to succeed. For example, two typical credential phishing emails that targeted specific organizations in October and November 2017: One type of email is supposedly a message from the target’s Microsoft Exchange server about an expired password. The other says there is a new file on the company’s OneDrive system.