Pawn Storm – A Look Into this Cyberespionage Actor Group

In April 2017 my monthly threat webinar focused on a cyberespionage group our Forward-Looking Threat Researcher, Feike Hacquebord, has been following for many years and recently published a report into the most recent two years of activities. In this post I want to focus on their tools and tactics versus who they target since this is what most organizations need to focus on in order to protect themselves if targeted by Pawn Storm or other actors using similar tactics.


Pawn Storm actors use a number of threats to compromise their victims:

  1. Credential Phishing is their primary means of infection whereby they attempt to steal login credentials from email accounts, both consumer and corporate email accounts.
  2. OAuth abuse is an effective means of compromising a victim and one which we’ve seen recently in the news.
  3. Tabnabbing is a tactic that many may not be familiar with but is one that Pawn Storm uses regularly.
  4. Targeting organizations DNS settings via their Registrar or their HOSTS file on systems.
  5. Watering hole attacks by compromising websites frequently visited by their victims.
  6. Spearphishing emails are a staple in their arsenal of tools which is common with all attacks.
  7. A private exploit kit in which they regularly add in 0-days and common vulnerabilities is used to infect hosts.
  8. 2nd stage C&C and malware is used only for targets they deem as high value

All of these tools and tactics allow them to be very successful in their attacks and organizations should invest time in better understanding how these work and how they can improve their cyber security as well as their operational security to minimize the chance of compromise.

I cover all of these and the other information about the Pawn Storm group in my recorded webinar but more importantly share some solutions and best practices businesses can do to protect them from this group.  I hope you enjoy the presentation and feel free to leave a comment below if you have any questions or leave me a recommendation for future webinars on what threats you’d like me to cover.

Leave a Reply