Pawn Storm – also known as Sednit, Fancy Bear, APT28, Sofacy and Strontium – is becoming more aggressive in its efforts to influence politics, and email is at the core of most attacks, security researchers have found.
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
Email’s renewed popularity as a means of attack is driven by the fact that it does not rely on vulnerabilities and uses simple deception to lure victims into opening attachments, clicking links or disclosing credentials, according to Symantec’s latest threat report.
In particular, credential phishing has been a key part of many cyber attacks by Pawn Storm on armed forces, the defence industry, news media, politicians and dissidents, according to a report by security researchers at Trend Micro.
They have found that the group is creating phishing emails that are highly sophisticated, almost perfectly replicating legitimate URLs and using a technique called “tabnabbing” which swaps inactive open tabs with a phishing site.
Pawn Storm was widely linked to cyber attacks on the Democratic National Committee and Hillary Clinton’s campaign in the 2016 US presidential election, and more recently was found to be targeting French presidential candidate Emmanuel Macron, the report said.
Pawn Storm is also believed to have targeted the German political party Christian Democratic Union (CDU), the Turkish parliament, the parliament in Montenegro, and the World Doping Agency (WADA).
These activities have raised concerns about the cyber security of political parties, with several elections due across Europe in 2016, including the UK in June.
Ravi Khatod, CEO of email security firm Agari, believes that unless the threat of social-engineering email attacks is taken seriously by all political parties and individuals, it is only a matter of time before another high-profile political data breach happens.
“The fact that Macron’s campaign team has said it has put measures in place to block emails from the malicious domains is encouraging,” he said. “We implore all political parties to ensure that they, likewise, make email security a priority, particularly those with high-stakes elections coming up.”
At a minimum, Khatod said there is no excuse not to implement the Dmarc (domain-based message authentication, reporting and conformance) email authentication policy to help identify and block malicious emails impersonating trusted domains.
Implementation of Dmarc is mandatory for public sector bodies as part of the active cyber defence programme led by the National Cyber Security Centre (NCSC).
However, Khatod said other advanced precautions also need to be taken, with an emphasis on verifying the identity of the sender. “Traditional email security filters can no longer be relied on as they have no ability to prevent targeted attacks,” he said.
Steven Malone, director of security product management at email security firm Mimecast, said word-perfect phishing attacks are now increasingly common, impersonating domain names and individuals with personalised precision.
“News of attacks on political campaigns [by Pawn Storm] are a timely reminder that all organisations need to review their email security practices,” he said. “Monitoring for lookalike domains and stamping external emails with warnings are effective countermeasures.”
Brian Vecci, technical evangelist at governance firm Varonis, said leaked emails can have a disrupting effect on campaigns and embarrass the candidate or party, but the risks do not stop with email.
Candidates for public office and political parties, like businesses, create and store a lot of data in vulnerable places, he said.
According to the 2017 Varonis Data Risk Report, on average organisations have 20% of folders open to every employee, and 47% have at least 1,000 or more files containing sensitive personal or financial data accessible to every user.
“One compromised account or system can compromise a massive amount of data, and possibly an election,” said Vecci.
If the highly targeted phishing attacks on French presidential candidate Emmanuel Macron’s campaign had been successful in stealing credentials, the attackers would have become virtual “insiders”, gaining access to files and emails that could influence the election, he said.
“Thankfully, this campaign was prepared enough to identify at least some of the phishing attempts, but it only takes one attempt for a hacker to steal your credentials.
“Let’s hope they were also prepared with additional layers of defence, such as restrictive internal access controls that reduce the amount of sensitive data that any one person or system can access, and sophisticated user behaviour analytics that can spot and stop unusual access to files and emails before sensitive data is exfiltrated.”
The Trend Micro report on Pawn Storm recommends that organisations improve the security of their email and defend against credential theft by considering the following:
- Even though two-factor authentication improves security, it does not make social engineering impossible because all temporary tokens can be phished by an attacker.
- Even when two-factor authentication is used, an attacker only has to phish for the second authentication token once or twice to get semi-permanent access to a mailbox. They can set up a forwarding address or a token that allows third-party applications full access to the system.
- Mandatory logging in to a company VPN network does raise the bar for an attacker. However, VPN credentials can also be phished, and targeted attackers may specifically go after VPN access credentials.
- Authentication with a physical security key makes credential phishing virtually impossible unless the attacker has physical access to the target’s equipment. When a target uses a physical security key, the attacker either has to find an exploit to get unauthorised access, or has to get physical access to the security key and the target’s laptop.
- To add to authentication methods that are based on what you know and what you have, authentication can be added is based on what you are: fingerprints or other biometric data. Biometrics have already been used by some laptops and phone suppliers, and have also been a common authentication method in datacentres for more than a decade.