Russia-linked APT28 is using stolen corporate email accounts to facilitate phishing attacks

Almost 40 per cent of the attacks launched by the group, also known as Pawn Storm, launched over the past year targeted defence companies

Russia-linked APT28, also known as Pawn Storm, is using previously hacked email accounts to facilitate credential phishing attacks against high-profile targets in the Middle East.

That's the warning from researchers at Trend Micro who claim in their latest report [PDF] that nearly 38 per cent of the attacks launched by the group were targeted at the defence sector, while the rest of the attacks attempted to compromise government, construction and banking organisations.

This cyber campaign by Pawn Storm started in May last year and is still on-going, according to the researchers. To compromise its selected targets, the group has been using a variety of attack methods, including server scanning and credential phishing.

Trend Micro said it has been closely monitoring the activities of Pawn Storm as well as its methodologies and attack vectors for many years.

Since last May, they have observed Pawn Storm members connecting to a dedicated server using the OpenVPN option of a VPN provider. The operators then used compromised email accounts to send credential spam mails through a commercial email service provider.

Apart from defence entities in the Middle East, the group was also seen launching phishing attempts to target financial, transportation, utilities and government sectors in the US, India and other countries.

The group regularly probed a large number of Microsoft Exchange Autodiscover servers in various countries in the hope of discovering vulnerable systems to exploit. Eventually, it attempted to brute force email credentials and to steal email data.

Pawn Storm group, which is also known as Fancy Bear and APT28, has been active since 2004. The notorious threat group has long conducted espionage activities against military entities and defence ministries in multiple countries for economic and political gains of Russia.

The group is also thought to have infiltrated the networks of the Democratic National Committee (the governing body of the US Democratic Party) in 2016. Nearly two years after that intrusion, the US Department of Justice linked Pawn Storm with Russia's Main Intelligence Directorate of the Russian General Staff.

Trend Micro is advising organisations to regularly monitor their infrastructure for unusual access patterns and to patch their systems as soon as possible.

Organisations must also educate their employees not to click on links or open attached files in unexpected emails.