Russian hackers who hacked DNC are now targeting U.S. Senate: Experts

While these emails might not seem to be advanced in nature, TrendMicro has seen that credential loss is often the starting point of further attacks which include stealing sensitive data from email inboxes. TrendMicro says it has have worked with one of the targets, an NGO in the Netherlands targeted twice, in late October and early November 2017. TrendMicro successfully prevented both attacks from causing any harm. In one case TrendMicro was able to warn the target within two hours after a dedicated credential phishing site was set up. In an earlier attack, TrendMicro was able to warn the organization 24 hours before the actual phishing emails were sent.

Olympic Wintersports federations
TrendMicro specialists have seen several International Olympic Wintersport federations, such as the European Ice Hockey Federation, the International Ski Federation, the International Biathlon Union, the International Bobsleigh and Skeleton Federation and the International Luge Federation, among the group’s targets in the second half of 2017. This is noteworthy due to the timing correlation between several Russian Olympic players being banned for life in fall, 2017. In 2016, Pawn Storm had some success in compromising WADA (the World Anti-Doping Agency) and TAS-CAS (the Court of Arbitration for Sport). At that time, Pawn Storm sought active contact with mainstream media either directly or via proxies and had influence on what some of them published.

Political targets
In the week of the 2017 presidential elections in Iran, Pawn Storm set up a phishing site targeting chmail.ir webmail users. TrendMicro was able to collect evidence that credential phishing emails were sent to chmail.ir users on 18 May 2017, just one day before the presidential elections in Iran. TrendMicro has previously reported similar targeted activity against political organizations in France, Germany, Montenegro, Turkey, Ukraine, and the United States.

Beginning in June 2017, phishing sites were set up mimicking the ADFS (Active Directory Federation Services) of the U.S. Senate. By looking at the digital fingerprints of these phishing sites and comparing them with a large data set that spans almost five years, TrendMicro can relate them to a couple of Pawn Storm incidents in 2016 and 2017. The real ADFS server of the U.S. Senate is not reachable on the open internet, however phishing of users’ credentials on an ADFS server that is behind a firewall still makes sense. In case an actor already has a foothold in an organization after compromising one user account, credential phishing could help him get closer to high profile users of interest.

The future of politically motivated campaigns
TrendMicro says that rogue political influence campaigns are not likely to go away in the near future. Political organizations have to be able to communicate openly with their voters, the press and the general public. This makes them vulnerable to hacking and spear phishing. On top of that, it is also relatively easy to influence public opinion via social media. Social media platforms continue to form a substantial part of users’ online experience, and they let advertisers reach consumers with their message.

This makes social media algorithms susceptible to abuse by various actors with bad intentions. Publishing stolen data together with spreading fake news and rumors on social media gives malicious actors powerful tools. While a successful influence campaign might seem relatively easy to do, it needs a lot of planning, persistence, and resources to be successful. Some of the basic tools and services, like ones used to spread fake news on social media, are already being offered as a service in the underground economy.

As TrendMicro has mentioned in its overview paper on Pawn Storm, other actors may also start their own campaigns that aim to influence politics and issues of interest domestically and abroad. Actors from developing countries will learn and probably adapt similar methods quickly in the near future. In 2016, we published a report on C Major, an espionage group that primarily targets the Indian military. “By digging deeper into C Major’s activities, we found that this actor group not only attacks the Indian military, but also has dedicated botnets for compromised targets in Iranian universities, Afghanistan, and Pakistan. Recently, we have witnessed C Major also showing some interest in compromising military and diplomatic targets in the West. It is only a matter of time before actors like C Major begin attempting to influence public opinion in foreign countries, as well,” Hacquebord says.

He concludes” “With the Olympics and several significant global elections taking place in 2018, we can be sure Pawn Storm’s activities will continue. We at Trend Micro will keep monitoring their targeted activities, as well as activities of similar actors, as cyberpropaganda and digital extortion remain in use.”

In wake of the report, Senator Ben Sasse (R-Nebraska), called on Attorney General Jeff Sessions to update lawmakers on steps taken to prevent Russian meddling.

“Russia is just getting started and the hacks, forgeries, and influence campaigns are going to get more and more sophisticated,” he said.

He called for “urgent action” by the administration “to ensure that our adversaries cannot undermine the framework of our political debates and the attorney general should come back to Congress and explain what steps he’s taken since last year.”