Pawn Storm

Threat Actor updated 2 days ago (2024-09-05T13:17:46.035Z)

Download STIX

Preview STIX

Pawn Storm, also known as APT28, Fancy Bear, Sofacy Group, Sednit, BlueDelta, and STRONTIUM, is a threat actor that has been active since at least 2007. This group is notorious for targeting governments, militaries, and security organizations worldwide. The cybersecurity industry identifies Pawn Storm with various names due to the lack of standard naming conventions. In recent years, this group has employed increasingly sophisticated methods in its cyberattacks. Beginning in April 2023, it started using more elaborate techniques, including VPN services and credential phishing via specially crafted websites. The EdgeRouter botnet, which Pawn Storm had been using since 2016, was disrupted by the US FBI in January 2024. This botnet was instrumental in their attacks, allowing them to gain access to a pool of EdgeRouter devices through brute-forcing the credentials of backdoored SSH servers. Furthermore, Pawn Storm's credential phishing websites were active in November and December 2023, using webhooks to capture sensitive user information. During an investigation into a Linux botnet partially taken down by the FBI in early 2024, researchers discovered another Linux botnet operating on some of the same EdgeRouters previously exploited by Pawn Storm. According to Trend Micro, this botnet was also used by at least two other prominent cybercriminal groups along with Pawn Storm. They attribute NTLMv2 hash relay attacks and the proxying of credential phishing to Pawn Storm, highlighting the group's diverse and evolving tactics.

Description last updated: 2024-09-05T13:15:59.625Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
APT28	7	APT28, also known as Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM, is a threat actor linked to Russia that has been active since at least 2007. The group has targeted governments, militaries, and security organizations worldwide, including the German Social Democratic Party
Forest Blizzard	4	Forest Blizzard, also known as APT28, Fancy Bear, and Strontium, is a threat actor linked to the Russian General Staff Main Intelligence Directorate (GRU) and the 85th Main Special Service Center (GTsSS). The group has been involved in persistent espionage campaigns against European countries, which
Sednit	3	Sednit, also known as APT28, Fancy Bear, Pawn Storm, Sofacy Group, BlueDelta, and Strontium, is a threat actor associated with Russia's military intelligence. The group has been active since at least 2007, primarily targeting governments, militaries, and security organizations worldwide. Notably, Se
Fancy Bear	3	Fancy Bear is a sophisticated Russian-based threat actor, also known as Sofacy or APT 28, that has been active since the mid-2000s. Fancy Bear is responsible for targeted intrusion campaigns against the Aerospace, Defense, Energy, Government and Media sectors. At the DNC, both Cozy Bear and Fancy Be
Sofacy	2	Sofacy is a threat actor group that has been observed using multiple languages to create variants of the Zebrocy Trojan and Cannon. In one campaign, they relied heavily on filenames to lure victims into launching weaponized documents. The group packed only Delphi variants in an attempt to increase e
IRON TWILIGHT	2	IRON TWILIGHT is a threat actor believed to be associated with the GRU, Russia's military intelligence agency. This association has been suggested by various researchers, including those from CrowdStrike and CTU, based on the characteristics of the group's activities. The group became particularly a
STRONTIUM	2	Strontium, also known as APT28, Fancy Bear, Forest Blizzard, and several other names, is a threat actor linked to Russia's General Staff Main Intelligence Directorate (GRU). Active since at least 2007, the group has targeted governments, militaries, and security organizations worldwide. Strontium's
Sofacy Group	2	The Sofacy Group, also known as APT28, Fancy Bear, Pawn Storm, Sednit, BlueDelta, and STRONTIUM, is a well-established threat actor that has been active since at least 2007. This group, which could be an individual, a private company, or part of a government entity, has targeted governments, militar

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Apt

Phishing

Exploit

Spam

Botnet

Linux

Malware

Vpn

Proxy

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the Pawn Storm Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	2 days ago	Is Russian group APT28 behind the cyber attack on the German air traffic control agency (DFS)?
Securityaffairs	3 months ago	APT28 targets key networks in Europe with HeadLace malware
Securityaffairs	4 months ago	Russia-linked APT28 targets government Polish institutions
Securityaffairs	4 months ago	NATO and the EU formally condemned APT28 cyber espionage
Securityaffairs	4 months ago	Russia-linked APT28 and crooks are still using the Moobot botnet
Trend Micro	4 months ago	Router Roulette: Cybercriminals and Nation-States Sharing Compromised Networks
Securityaffairs	5 months ago	Russia-linked APT28 used tool GooseEgg for to exploit Win bug
CERT-EU	6 months ago	Russia-linked APT28 compromised Ubiquiti EdgeRouters to facilitate cyber operations
Securityaffairs	7 months ago	US Gov dismantled the Moobot botnet controlled by Russia-linked APT28
Checkpoint	7 months ago	5th February – Threat Intelligence Report - Check Point Research
Trend Micro	7 months ago	Pawn Storm Uses Brute Force and Stealth Against High-Value Targets
Securityaffairs	9 months ago	Russia's APT8 exploited Outlook 0day to target EU NATO members
Unit42	9 months ago	Fighting Ursa Aka APT28: Illuminating a Covert Campaign
Securityaffairs	9 months ago	Russia-linked APT28 group spotted exploiting Outlook flaw to hijack MS Exchange accounts
Securityaffairs	10 months ago	ANSSI warns of Russia-linked APT28 attacks on French entities
Securityaffairs	a year ago	APT28 hacked Roundcube email servers of Ukrainian entities
MITRE	2 years ago	Threat Group 4127 Targets Hillary Clinton Presidential Campaign
MITRE	2 years ago	IRON TWILIGHT Supports Active Measures
MITRE	2 years ago	Pawn Storm’s Lack of Sophistication as a Strategy
MITRE	2 years ago	Sednit Espionage Group Attacking Air‑Gapped Networks \| WeLiveSecurity