Pawn Storm

Threat Actor Profile Updated 2 months ago
Download STIX
Preview STIX
Pawn Storm, also known as APT28, Fancy Bear, Sofacy Group, Sednit, BlueDelta, and STRONTIUM, is a threat actor that has been active since at least 2007. This group is notorious for targeting governments, militaries, and security organizations worldwide. In recent years, the methods employed by Pawn Storm have become increasingly sophisticated. Starting from April 2023, they began utilizing more elaborate techniques in their attacks, including credential phishing and the use of VPN services. They even established phishing websites using webhooks, with site URLs notably active in November and December 2023. The EdgeRouter botnet was a significant tool in Pawn Storm's arsenal. This botnet, which dates back to 2016, was disrupted by the US FBI in January 2024. However, before its disruption, Pawn Storm had likely brute-forced the credentials of backdoored SSH servers, gaining access to a pool of EdgeRouter devices for various malicious purposes. During an investigation into a Linux botnet targeted in a partial takedown by the FBI in January 2024, researchers discovered another Linux botnet running on some of the same EdgeRouters previously exploited by Pawn Storm. Trend Micro and ANSSI's data reveal that Pawn Storm, along with at least two other prominent cybercriminal groups, used this botnet. The NTLMv2 hash relay attacks and the proxying of credential phishing were attributed specifically to Pawn Storm. These findings highlight the multi-faceted threat posed by Pawn Storm, not only to individual users but also to larger entities such as governments and security organizations. As Pawn Storm continues to evolve its tactics, techniques, and procedures (TTPs), it remains a significant cybersecurity concern.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
APT28
6
APT28, also known as Fancy Bear, is a threat actor linked to Russia and has been involved in numerous cyber espionage campaigns. The group is notorious for its sophisticated tactics, techniques, and procedures (TTPs). Recently, NATO and the EU formally condemned APT28's activities, acknowledging the
Forest Blizzard
4
Forest Blizzard, also known as APT28, Fancy Bear, and Strontium, is a threat actor linked to the Russian General Staff Main Intelligence Directorate (GRU) and the 85th Main Special Service Center (GTsSS). The group has been involved in persistent espionage campaigns against European countries, which
Fancy Bear
3
Fancy Bear is a sophisticated Russian-based threat actor, also known as Sofacy or APT 28, that has been active since the mid-2000s. Fancy Bear is responsible for targeted intrusion campaigns against the Aerospace, Defense, Energy, Government and Media sectors. At the DNC, both Cozy Bear and Fancy Be
Sednit
3
Sednit, also known as APT28, Fancy Bear, Strontium/Forest Blizzard, Pawn Storm, Sofacy, and BlueDelta, is a threat actor associated with Russia's military intelligence. Active since at least 2007, the group has targeted governments, militaries, and security organizations worldwide. ESET has shed lig
STRONTIUM
2
Strontium, also known as APT28, Fancy Bear, Forest Blizzard, and several other aliases, is a Russia-linked threat actor that has been active since at least 2007. This group, believed to be associated with the Russian General Staff Main Intelligence Directorate (GRU), has targeted governments, milita
IRON TWILIGHT
2
IRON TWILIGHT is a threat actor believed to be associated with the GRU, Russia's military intelligence agency. This association has been suggested by various researchers, including those from CrowdStrike and CTU, based on the characteristics of the group's activities. The group became particularly a
Sofacy Group
2
The Sofacy Group, also known as APT28, Fancy Bear, Pawn Storm, Sednit, BlueDelta, and STRONTIUM, is a significant threat actor in the global cybersecurity landscape. Active since at least 2007, this group has targeted governments, militaries, and security organizations worldwide. The group's activit
Sofacy
2
Sofacy is a threat actor group that has been observed using multiple languages to create variants of the Zebrocy Trojan and Cannon. In one campaign, they relied heavily on filenames to lure victims into launching weaponized documents. The group packed only Delphi variants in an attempt to increase e
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Exploit
Phishing
Vpn
Proxy
Spam
Malware
Botnet
Linux
Exploits
Implant
State Sponso...
Rat
Exploit Kit
Outlook
Vulnerability
Zero Day
WinRAR
Europe
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Edgerouter BotnetUnspecified
1
The EdgeRouter botnet, a malware variant, has been in operation since 2016 and was notably used by the Pawn Storm group until it was disrupted by the US FBI in January 2024. This malicious software is designed to exploit and damage computer systems, often infiltrating without the user's knowledge th
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
SandwormUnspecified
1
Sandworm, a threat actor linked to Russia, has been implicated in numerous high-profile cyber attacks. This group's activities have primarily targeted Ukraine, compromising the country's critical infrastructure and telecommunications providers. The Sandworm group is known for its fileless attack met
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2023-38831Unspecified
1
CVE-2023-38831 is a critical vulnerability identified in the WinRAR software, with a CVSS score of 7.8, indicating high severity. This flaw in software design or implementation has been exploited to disseminate the LONEPAGE malware through ZIP files using an exploit known as UAC-0099. The vulnerabil
Source Document References
Information about the Pawn Storm Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Securityaffairs
2 months ago
APT28 targets key networks in Europe with HeadLace malware
Securityaffairs
2 months ago
Russia-linked APT28 targets government Polish institutions
Securityaffairs
3 months ago
NATO and the EU formally condemned APT28 cyber espionage
Securityaffairs
3 months ago
Russia-linked APT28 and crooks are still using the Moobot botnet
Trend Micro
3 months ago
Router Roulette: Cybercriminals and Nation-States Sharing Compromised Networks
Securityaffairs
3 months ago
Russia-linked APT28 used tool GooseEgg for to exploit Win bug
CERT-EU
5 months ago
Russia-linked APT28 compromised Ubiquiti EdgeRouters to facilitate cyber operations
Securityaffairs
5 months ago
US Gov dismantled the Moobot botnet controlled by Russia-linked APT28
Checkpoint
6 months ago
5th February – Threat Intelligence Report - Check Point Research
Trend Micro
6 months ago
Pawn Storm Uses Brute Force and Stealth Against High-Value Targets
Securityaffairs
8 months ago
Russia's APT8 exploited Outlook 0day to target EU NATO members
Unit42
8 months ago
Fighting Ursa Aka APT28: Illuminating a Covert Campaign
Securityaffairs
8 months ago
Russia-linked APT28 group spotted exploiting Outlook flaw to hijack MS Exchange accounts
Securityaffairs
9 months ago
ANSSI warns of Russia-linked APT28 attacks on French entities
Securityaffairs
a year ago
APT28 hacked Roundcube email servers of Ukrainian entities
MITRE
a year ago
Threat Group 4127 Targets Hillary Clinton Presidential Campaign
MITRE
a year ago
IRON TWILIGHT Supports Active Measures
MITRE
a year ago
Pawn Storm’s Lack of Sophistication as a Strategy
MITRE
a year ago
Sednit Espionage Group Attacking Air‑Gapped Networks | WeLiveSecurity
MITRE
a year ago
Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag