US Senate being targeted by 'Fancy Bear' Russian state hackers, claims Trend Micro

A cyber crime gang believed to be linked to the Russian state has turned its attention to the US Senate as part of a string of attacks on American political organisations.

That's according to security specialists at Trend Micro.

In a report, Trend Micro claims that the so-called 'Fancy Bear' hacking group, also referred to as 'Pawn Storm', has turned its attention to the US legislatures as it seeks to widen the number of compromised computers in the American political establishment.

Security specialists at Trend Micro have identified a range of email-based phishing campaigns targeting accounts associated with the Senate coming from the group.

Pawn Storm has a large toolset full of social engineering tricks, malware and exploits

"While these emails might not seem to be advanced in nature, we've seen that credential loss is often the starting point of further attacks that include stealing sensitive data from email in-boxes," warned Trend Micro security researcher Feike Hacquebord.

Hacquebord, who also refers to Fancy Bear as 'Pawn Storm' in the report, explained that the infamous hacking group conducted these attacks towards the end of last year.

"In the second half of 2017 Pawn Storm, an extremely active espionage actor group, didn't shy away from continuing their brazen attacks," he said.

"Usually, the group's attacks are not isolated incidents, and we can often relate them to earlier attacks by carefully looking at both technical indicators and motives.

To trick users into disclosing their login credentials, the crooks sent a series of standard phishing baits, such as Microsoft Exchange emails alerting them about expired passwords or about new files being added to their OneDrives.

"One type of email is supposedly a message from the target's Microsoft Exchange server about an expired password. The other says there is a new file on the company's OneDrive system," said the researcher.

Hacquebord said that while these attacks are simple, they can get results. "These attacks don't show much technical innovation over time, but they are well prepared, persistent, and often hard to defend against," he said.

Beginning in June 2017, phishing sites were set up mimicking the ADFS of the US Senate

"Pawn Storm has a large toolset full of social engineering tricks, malware and exploits, and therefore doesn't need much innovation apart from occasionally using their own zero-days and quickly abusing software vulnerabilities shortly after a security patch is released."

Hacquebord said the organisation is trying to bring down the Senate. "Beginning in June 2017, phishing sites were set up mimicking the ADFS (Active Directory Federation Services) of the US Senate," he added.

"By looking at the digital fingerprints of these phishing sites and comparing them with a large data set that spans almost five years, we can uniquely relate them to a couple of Pawn Storm incidents in 2016 and 2017.

"The real ADFS server of the US Senate is not reachable on the open internet, however phishing of users' credentials on an ADFS server that is behind a firewall still makes sense."