A new report from cybersecurity firm Trend Micro says hackers known as Fancy Bear (also Pawn Storm and APT 28) seem to be preparing an "espionage campaign" against the U.S. Senate.
Beginning in June 2017, phishing sites were set up mimicking the ADFS (Active Directory Federation Services) of the U.S. Senate. By looking at the digital fingerprints of these phishing sites and comparing them with a large data set that spans almost five years, we can uniquely relate them to a couple of Pawn Storm incidents in 2016 and 2017. The real ADFS server of the U.S. Senate is not reachable on the open internet, however phishing of users’ credentials on an ADFS server that is behind a firewall still makes sense. In case an actor already has a foothold in an organization after compromising one user account, credential phishing could help him get closer to high profile users of interest.
Like many cybersecurity companies, Trend Micro refuses to speculate publicly on who is behind such groups, referring to Pawn Storm only as having "Russia-related interests." But the U.S. intelligence community alleges that Russia's military intelligence service pulls the hackers' strings and a months-long Associated Press investigation into the group, drawing on a vast database of targets supplied by the cybersecurity firm Secureworks, has determined that the group is closely attuned to the Kremlin's objectives.
If Fancy Bear has targeted the Senate over the past few months, it wouldn't be the first time. An AP analysis of Secureworks' list shows that several staffers there were targeted between 2015 and 2016.
Trend Micro researcher Feike Hacquebord tells Business Insider that the Pawn Storm's tactics may not seem complicated, but the process as a whole is designed with practiced intention:
"They have to know who they want to target, and the timing is important," Hacquebord said. "The techniques may not be advanced but the social engineering is. They've been using these same tactics for quite some time, and it's been quite effective. They are also very persistent."
He added that Pawn Storm was using zero-days, or software vulnerabilities that can be exploited by hackers before the developer discovers and patches it.
"These zero days are expensive on the black market," Hacquebord said. "This is not the stuff of amateurs."
Trend Micro was the firm that uncovered Fancy Bear's attempts to hack into French President Emmanuel Macron's email account. The researchers found that the hackers had created a phishing domain that impersonated the site that was used by En March, the political party Macron founded in 2016.
The hackers used the same technique to try to infiltrate the Senate, Hacquebord told the AP.
"That is exactly the way they attacked the Macron campaign in France," he said.
Senator Ben Sasse (R-NE) responds:
Read more: Cybersecurity Firm: US Senate in Russian Hackers' Crosshairs (AP)
Russian hackers are laying the groundwork to spy on the US Senate, cybersecurity firm says (Business Insider)
Update on Pawn Storm: New Targets and Politically Motivated Campaigns (Trend Micro)