Group Leveraging Corporate Email Accounts, Trend Micro Researchers Say
Over the last year, Russian state-sponsored hackers have switched their techniques, relying more on compromised corporate email accounts to send out targeted phishing emails and spam, according to the security firm Trend Micro.
Russian hackers are now scanning the internet looking for vulnerable email servers Microsoft Exchange Autodiscover servers and then using any compromised email accounts they find to assist in phishing attacks, according to Trend Micro’s new report.
The report focuses on the activities of a Russian-sponsored group that the company refers to as Pawn Storm, but others call APT28, Strontium or Fancy Bear. Security firms and intelligence agencies believe that this group is part of Russia’s military intelligence division – General Staff Main Intelligence Directorate, or GRU.
The group has been accused of participating in several significant hacking events, including the theft of emails from the U.S. Democratic National Committee in 2016 (see: After Russia Hacks DNC: Surprising Candor).
And while the Trend Micro report notes that the group stills relies on malware and zero-day attacks as part of their hacking arsenal, the shift to scanning for vulnerable email servers is fairly new – and the exact purpose and techniques involved are not clear.
“Pawn Storm could be attempting to evade filtering at the cost of making some of their successful compromises known to security companies,” Feike Hacquebord, a senior threat researcher at Trend Micro, notes in the report. “However, we did not notice a significant change in successful inbox deliveries of the group’s spam campaigns, making it difficult to understand the rationale behind the change in methodology.”
Russian hackers appear to have started deploying these new techniques around May 2019. The majority of the compromised accounts came from defense companies in the Middle East, but other targets included transportation, utilities and other government organizations, according to the report.
In addition to the Middle East, the Russian-backed hackers have targeted organizations in India, Pakistan and the U.S., according to the report.
Last year, the Russian hackers started scanning the internet for vulnerable servers, including webmail and Microsoft Exchange Autodiscover servers, which are used by system admins to help configure email accounts, according to the report. In some cases, attackers are targeting vulnerable and unsecured TCP ports 445 and 1433, which allow remote access to certain Microsoft services.
Sometimes, hackers use brute-force techniques to guess combinations of passwords and usernames, the Trend Micro researchers say. If successful, the hackers use combinations of VPNs to hide their activities and begin compromising email accounts, according to the report.
From there, the hackers can either exfiltrate data from the network, steal credentials to other email accounts, or use the compromised email accounts to send out phishing emails or spam that help hide their other activities, according to the report.
Because the phishing emails appear to come from legitimate accounts, it’s more likely that the targets will open the emails and any attachments that they contain, the researchers say.
The Russian group, which has been active since at least 2004, has regularly changed its techniques to better evade detection.
In September 2019, for instance, security firm ESET found that the hackers had started deploying a new backdoor that targeted ministries of foreign affairs and embassies in Eastern Europe and Central Asia (see: ‘Fancy Bear’ Hacking Group Adds New Capabilities, Targets).