Sqrrl Blog

Oct 29, 2014 8:00:00 AM

The "Pawn Storm" Campaign and Dynamic Threat Detection

By George Aquila

An advanced and widespread malware campaign dubbed “Pawn Storm” was recently profiled in a white paper by security researcher Trend Micro. The campaign has reportedly been targeting and compromising a number of high value government and private sector defense systems across the world for the past several years.

Target and Scope

Although the perpetrators have not been directly identified, the list of affected targets is extensive. It includes the US State Department, private companies such as SAIC and military contractor Academi (formerly known as Blackwater), US international allies such as the Organization for Security and Co-operation in Europe (OSCE), the French, Hungarian and Polish defense ministries, and even select military officials in Pakistan. Pawn Storm’s main objective is conducting strategic espionage on security and defense networks. The exfiltrated data has consisted of economic and political intelligence, most useful to geopolitical rivals of the US and its NATO allies. This has led many to believe this is once again the work of Russian-sponsored hacker groups.

The first specific email identified with Pawn Storm recovered dates back to 2011, but evidence suggests the attackers have been active since 2007. The campaign has utilized a methodology that focuses on multiple attack vectors to rapidly spread its malware component. These vectors consist of phishing emails, rerouting users to fake websites that facilitate credential theft, and malicious HTML Iframes which are exploits injected into legitimate websites.

Pawn Storm has been exposed to a vast number of system across the world, but only certain individuals were targeted with the delivery of the real malware payload. The attacks were designed to be triggered only if targeted systems matched specific requirements, such as OS versions, language settings, and installed programs. The attackers have been extremely successful in evading detection, and have persisted their presence through the use of constantly changing command and control (C&C) origin servers. Classic infiltration mitigation involves taking down a C&C as soon as it is detected, but a storm of one-time use C&Cs, referred to as “pawns”, makes it extremely difficult to root intruders out of the network.

“Next Level” Spear Phishing Tactics

The perpetrators behind Pawn Storm have used advanced spear phishing techniques that go well beyond the average scope in both complexity and attention to detail, as each of the attacks were executed in multiple stages. Emails were sent to a host of different individuals including “military, embassy and contractor personnel.”

The emails used elaborate descriptions of real current events, such as incident reports or announcements for upcoming summits, which were supplemented with either  seemingly innocuous attachments or links to spoofed websites. These malicious attachments appeared as files such as Word and Excel documents, and the websites referenced were similar in appearance and name to their legitimate counterparts.

The Malware

After a victim opened the attachment or visited a malicious site, the attacker gained a foothold into their system via a Microsoft Office exploit that allows for the execution of arbitrary code. The now-compromised machine would then download the initial payload, and the user’s network would be breached. The payload itself consisted of a .dll file, used to download more component files after communicating with the command origin. The first .dll would drop one or more additional files of the same type, which ultimately downloaded the malware package identified in each case as some variant of the Win32/SEDNIT malware family.

The two main phases of Pawn Storm's multi-stage attack chain


The downloader would also automatically install a keylogger to begin information collection from the first moment of arrival. What really sets these attacks apart is the complexity of their multi-stage attack chains, which make it significantly more difficult to track down and make sense of all the different attack components.

SEDNIT is a family of malware trojans first identified in 2012 that creates backdoors and gathers sensitive information from compromised systems, sending all data back to an ever shifting C&C point in the exfiltration process.

The Sqrrl Benefit

The Pawn Storm campaign and subsequent breaches are more evidence for why system penetration prevention remains incredibly difficult with traditional means, as even critical defense systems and government networks were compromised. No matter how secure the your network perimeter may be, social engineering tactics can exploit human factor vulnerabilities.

The key to threat mitigation must then reside in rapid infiltration detection via Linked Data Analysis.

Sqrrl Enterprise is designed for precise and rapid detection, taking disparate data across the network and using dynamic knowledge extraction to establish and explore the connections between events inherent in your data. This allows for more dynamic analytics above and beyond pure anomaly detection, looking at the geometry of the network and finding patterns in asset interactions through linked data. By applying these advanced techniques to cyber incident investigation, Sqrrl can link all your data to make sense of obscured events, even when threats are deployed via complex attack chain.

If you are interested in a demo of Sqrrl’s Linked Data Analysis capabilities, let us know via the link below!

Request a Demo

Topics: Cybersecurity, Breach Detection, APT Campaign, Malware