We’re available from 9 am to 6 pm on weekdays. Contact Us.
Cyberthreat: Two Years of Pawn Storm

Pawn Storm is an active cyber espionage actor group that has been very aggressive and ambitious in recent years. The group’s activities show that foreign and domestic espionage and influence on geopolitics are the group’s main motives, and not financial gain. Its main targets are armed forces, the defense industry, news media, politicians, and dissidents.

We can trace activities of Pawn Storm back to 2004, and before our initial report in 2014 there wasn’t much published about this actor group. However, since then we have released more than a dozen detailed posts on Pawn Storm. This new report is an updated dissection of the group’s attacks and methodologies—something to help organizations gain a more comprehensive and current view of these processes and what can be done to defend against them.

Pawn Storm is becoming increasingly relevant particularly because it is doing more than just espionage activities. In 2016, the group attempted to influence public opinion, to influence elections, and sought contact with mainstream media with some success. Now the impact of these malicious activities can be felt by various industries and enterprises operating throughout the world. Even average citizens of different countries might be affected as Pawn Storm tries to manipulate people’s opinions about domestic and international affairs. The attacks of Pawn Storm may even serve as an example for other actors, who could copy tactics and repurpose them to fit their own objectives.

As we look at Pawn Storm’s operations over a two-year period, we can see how the group has become more adept at manipulating events and public opinion through the gathering and controlled release of information. Many events—like their involvement in the Democratic National Convention hack—have been covered extensively. The group’s cyber propaganda methods—using electronic means to influence opinion —creates problems on multiple levels. Aside from manipulating the public, their operations also discredit political figures and disrupt the established media. The proliferation of fake news and fake news accusations in 2017 can in part be attributed to constant information leaks and manipulations by malicious actors. Media sources have already confirmed that Pawn Storm offered them exclusive peeks at high-impact information, presumably in an attempt to skew public perception on a certain topic or person.

In this paper, we take a deeper look at the facts we have compiled and delve into the variety of attacks that the group is using. Pawn Storm is known for its sophisticated social engineering lures, efficient credential phishing, zero days, a private exploit kit, an effective set of malware, false flag operations, and campaigns to influence the public opinion about political issues.

At its core, Pawn Storm—also known as Sednit , Fancy Bear, APT28, Sofacy, and STRONTIUM —is still a persistent cyber espionage actor group. The actors often attack the same target from different sides, using multiple methods to reach their goals. It generally relies on practiced techniques, specifically when it comes to phishing. Credential phishing has been a key part of many compromises done by Pawn Storm in recent years and we were the first to describe them in detail from 2014 and onwards.

We start this paper with a section on false flag operations and a rundown of Pawn Storm’s attempts to influence the public opinion. The second section focuses on different methods used to attack free and corporate webmail—mostly through sophisticated phishing tactics. The third section details Pawn Storm’s campaigns that we tracked over the years, and lists their intended targets. The next section covers their preferred attacks, facilitators, and also their attitude towards their own operational security. And lastly, we give some guidelines on how to defend against Pawn Storm.


Click here to read the report.


Communicated by Trend Micro