A Storm’s a Coming: How businesses can defend against threat actor groups like Pawn Storm

It's critical to hire a CISO that has experience and can lead a team.

Pawn Storm (aka Sednit5, Fancy Bear, APT28, Sofacy and STRONTIUM8) might sound like Instagram accounts, top-secret spy programs or recently passed legislation, but in reality they are all different names for the same successful cyber espionage group (or threat actor group). These actors often use multi-angle bombardment attacks on the same target, implementing multiple methods to reach their goals and relying on practiced (proven) techniques, especially when it comes to phishing attacks.

Credential phishing is an effective tool used within cyber espionage campaigns. Many Internet users are trained by experience not to fall victim to these types of phishing attacks. By spotting obvious grammar and spelling errors, uncommon domains in URLs or the absence of a secure, encrypted connection in the browser bar help users identify possible malicious threats. However, professional threat actors like Pawn Storm have the resources and experience to avoid these simple mistakes and invent crafty social engineering tactics to bypass red flag indicators. These devious professionals send phishing emails with perfect spelling and grammar in any language, and have no problem evading spam filters and other security measures. Essentially, credential phishing attacks have become an effectively dangerous tool that can have severe damaging effects on vast amounts of sensitive data, which can be stolen, blackmailed or erased. Credential phishing is also a strategic step to penetrate deeper into target’s digital infrastructure.

Even though groups such as Pawn Storm can target individuals like as Colin Powell and Hillary Clinton, or groups such as Democratic National Committee (DNC) and World Anti-Doping Agency (WADA), there are protective measures you can do to raise the level of your defenses against cybercriminals:

  • Minimize your attack surface—systems that do not need to be exposed to the open Internet shouldn’t be
  • Require remote workers to use the corporate VPN to access your systems
  • Minimize the number of domain names you maintain and centralize email servers
  • Prevent DNS hijacking of your domains. Work with reputable registrars only, or those that allow for two-factor authentication of your DNS administrator account. Lock your domain at the registrar to further raise the bar for unauthorized changes to your domains.
  • Enforce two-factor authentication for corporate webmail, or a better option would be to require authentication by means of a physical (USB) security key
  • Educate employees on securing their private free webmail and social media accounts, and don’t let them use those accounts for work purposes
  • When your employees travel overseas or attend conferences, let them take a clean loan computer with them. Wipe the data from the computer and do a fresh OS install after the trip.
  • Outsourced services can be compromised too, use only reputable third-party services
  • Educate workers about email system and/or email account best practices: specifically, don’t store sensitive information in email boxes without encryption and don’t send sensitive information by email without encryption.
  • Let a reputable company do penetration testing of your network regularly. Include social engineering in these tests
  • Keep software updated and patched

To read the full Pawn Storm report please visit here.

Leave a Reply