trendmicroPawn Storm,
the long-running cyber espionage campaign, added to its long list of
targets several government offices (including the office of the prime
minister and the Turkish parliament) and one of the largest newspapers
in Turkey.
Pawn Storm has been known to attack a diverse list of targets–including armed forces, diplomats, journalists, political dissidents, and software developers.
Many of these targets share a common trait: that they could be perceived as a threat to Russian politics in some way or form. We believe that these attacks against Turkey were related to previous Pawn Storm-related incidents in summer and fall 2015, which targeted Syrian opposition and about all of the Arab countries that voiced criticism about Russia’s interventions in Syria.
Trend Micro was able to provide early warning to the Turkish authorities about the attacks, and it helped mitigate the potential damage that these attacks could have done had they gone unnoticed.
Pawn Storm has repeatedly shown interest in getting information from countries of political/geopolitical interest. By those standards, there are many reasons why attackers would choose to target Turkey. These include:
We list the targets below, along with the dates of when these OWA servers were spotted:
In its assault against Turkey, Pawn Storm makes use of network infrastructure based in the Netherlands. They seem to have found a cozy home at a VPS provider with a postal address in the United Arab Emirates and servers in a datacenter in the Netherlands. This isn’t the first time Pawn Storm has used this particular VPS provider. Dozens of attacks of Pawn Storm in 2015 and 2016 have been made using the service the said VPS provide, along with those by other threat actor groups such as DustySky and Carbanak. This provider has also been used by actors who targeted users of one of the largest Russian banks. This makes them look like a bulletproof hosting service in the Netherlands.
trendmicro
Pawn Storm has been known to attack a diverse list of targets–including armed forces, diplomats, journalists, political dissidents, and software developers.
Many of these targets share a common trait: that they could be perceived as a threat to Russian politics in some way or form. We believe that these attacks against Turkey were related to previous Pawn Storm-related incidents in summer and fall 2015, which targeted Syrian opposition and about all of the Arab countries that voiced criticism about Russia’s interventions in Syria.
Trend Micro was able to provide early warning to the Turkish authorities about the attacks, and it helped mitigate the potential damage that these attacks could have done had they gone unnoticed.
Pawn Storm has repeatedly shown interest in getting information from countries of political/geopolitical interest. By those standards, there are many reasons why attackers would choose to target Turkey. These include:
- Disagreements with Russia over various issues, including the shootdown of a Russian jet over Syriain November 2015 by the Turkish Air Force
- Internal disputes with Kurdish groups within its borders
- The flow of refugees attempting to enter Europe via Turkey
We list the targets below, along with the dates of when these OWA servers were spotted:
- The Directorate General of Press and Information of the Turkish government (January 14, and February 2, 2016)
- The Türkiye Büyük Millet Meclisi (The Grand National Assembly of Turkey) (February 3, 19, and 26, 2016)
- Turkish newspaper Hürriyet (February 17, 24, and 29, 2016)
- Başbakanlık, the office of the prime minster of Turkey (February 29, 2016)
In its assault against Turkey, Pawn Storm makes use of network infrastructure based in the Netherlands. They seem to have found a cozy home at a VPS provider with a postal address in the United Arab Emirates and servers in a datacenter in the Netherlands. This isn’t the first time Pawn Storm has used this particular VPS provider. Dozens of attacks of Pawn Storm in 2015 and 2016 have been made using the service the said VPS provide, along with those by other threat actor groups such as DustySky and Carbanak. This provider has also been used by actors who targeted users of one of the largest Russian banks. This makes them look like a bulletproof hosting service in the Netherlands.
trendmicro