Russian state-sponsored hackers have been sniffing Middle East defence firms, warns Trend Micro

Artists variously known as Pawn Storm and APT28 are still at it

3 Reg comments Got Tips?

The Russian hacking crew known variously as APT28, Fancy Bear and Pawn Storm has been targeting defence companies with Middle Eastern outposts, according to Trend Micro.

A new report from the threat intel firm says that the Russian state-backed hacking outfit went on a spree of targeting defence firms in the Middle East back in May last year. Using credential-phishing tactics, APT28* used the email accounts of targets they had already hacked to fire phishing emails at further targets using known contacts for a higher strike rate.

According to Trend, around 38 per cent of the attacks fired off by the Russians were targeted at defence companies, with banking, construction and government targets making up the main portion of the others.

“Surprisingly, the list also included a couple of private schools in France and the United Kingdom, and even a kindergarten in Germany,” commented the threat intel firm.

Further, Trend said APT28 were port-scanning mail servers, including Microsoft Exhcange Autodiscover boxen, on TCP ports 443 and 1433 in the hope of finding vulnerable machines to exploit, and use as a staging post in their ongoing campaign.

A syringe in a vial of medicine

What a bunch of dopes! Fancy Bear hackers take aim at drug-testing orgs

READ MORE

Close examination of APT28’s spam-sending tactics revealed that they like using VPNs to try and hide their traces, with Trend stating: “Pawn Storm regularly uses the OpenVPN option of commercial VPN service providers to connect to a dedicated host that sends out spam. The dedicated spam-sending servers used particular domain names in the EHLO command of the SMTP sessions with the targets’ mail servers.”

What should you do if you’re targeted by APT28? Trend’s advice was straightforward: keep an eye on your infrastructure for any unusual access patterns, patch your systems as and when updates become available from vendors, and educate your employees not to click on links in unexpected emails.

APT28 was recently and publicly called out by Western governments for its hacking campaigns against Georgia, a former Soviet republic that has been leaning away from Vladimir Putin’s neo-Soviet Russia in recent years. ®

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Biting the hand that feeds IT © 1998–2020