Operation Pawn Storm – Social Engineering Leaves Everyone Vulnerable

If you’ve ever felt angry, irritated or upset at yourself for falling for some cleverly worded email and clicking on the attachment thereby infecting your computer or your company’s network with something awful, you’re not alone!

The point of social engineering is both to get around standard network security setups and to dupe individuals at all levels into opening that email attachment or entering their credentials into that look-alike site.

Operation Pawn Storm is a study done by TrendMicro into “economic and political espionage attacks instigated by a group of threat actors primarily targeting military, embassy, and defense contractor personnel from the United States and its allies.”  Looking at the list of targets it’s clear that this is a group with heightened security concerns and those most of us would imagine are well equipped to fend off cyber-attacks, but the reality is they are just as susceptible to a cleverly worded email as the rest of us.  And no amount of money put into network infrastructure can fully mitigate human error.

Included in the study as targets are ACADEMI – defense contractor formerly known as Blackwater, SAIC, the Organization for Security and Co-operation in Europe, the Ministry of Defense in France, broadcasting companies, Ministry of Defense in Hungary, Polish government employees, United States Department of State and the Vatican Embassy in Iraq.

So how were these individuals tricked?  The simple answer is exactly same way the attackers trick everyone else.  Spear-phishing schemes, carefully worded emails, and slightly changed / redirected domains.

Examples from Trend Micros report:

The Ministry of Defense in Hungary was tricked using an upcoming Exhibition / Conference.  The attackers purchased a domain similar to the actual conference and created a similar website then sent out targeted emails to those who could be expected to attend from Hungary.

  • Real conference domain – eurosatory.com
  • Malicious conference domain – eursatory2014.com

Similar to the Hungarian Defense Ministry, SAIC was the target of a spoofed conference website.  In this case it was for the “Future Forces 2014” conference and the intent was to trick email recipients into providing their webmail credentials.

  • Real conference domain – natoexhibition.org
  • Malicious conference domain – natoexhibitionff14.com

Additionally the attackers are using malicious attachments to install malware on unsuspecting victims computers.  This is exactly what they do to users not in heightened security industries, only in these cases the attachments tend to be more specific to get the intended victim to open them.

Whereas many people receive and unfortunately open attachments that say “Undeliverable USPS Parcel Shipping Details” those in who work for more security entrenched targets are more specifically targeted with documents they won’t suspect as being malicious:

Military official in Pakistan received a Word document claiming to relate to the Homeland Security Summit in the Middle East.

Polish government employees received a document related to the shooting down of flight MH17 over Ukraine.

Military officials in multiple countries received an Excel attachment posing as a list of journalists accredited at the APEC Summit 2013.

From Operation Pawn Storm - A Trend Micro Research Paper

From Operation Pawn Storm – A Trend Micro Research Paper

Vatican Embassy in Iraq received a Word document claiming to be about a bombing the day before.

It’s not a USPS package that wasn’t deliverable, it’s specific, relevant information to the targeted recipient.

From these examples you can see how social engineering works across all spectrums and cyber criminals have become adept at exact targeting of their victims to get the desired information or result from the attack.


Leave a Reply

Your email address will not be published.

Back to top