That's the warning from researchers at Trend Micro who claim in their latest report [PDF] that nearly 38 per cent of the attacks launched by the group were targeted at the defence sector, while the rest of the attacks attempted to compromise government, construction and banking organisations.
This cyber campaign by Pawn Storm started in May last year and is still on-going, according to the researchers. To compromise its selected targets, the group has been using a variety of attack methods, including server scanning and credential phishing.
Trend Micro said it has been closely monitoring the activities of Pawn Storm as well as its methodologies and attack vectors for many years.
Since last May, they have observed Pawn Storm members connecting to a dedicated server using the OpenVPN option of a VPN provider. The operators then used compromised email accounts to send credential spam mails through a commercial email service provider.
Apart from defence entities in the Middle East, the group was also seen launching phishing attempts to target financial, transportation, utilities and government sectors in the US, India and other countries.
The group regularly probed a large number of Microsoft Exchange Autodiscover servers in various countries in the hope of discovering vulnerable systems to exploit. Eventually, it attempted to brute force email credentials and to steal email data.
Pawn Storm group, which is also known as Fancy Bear and APT28, has been active since 2004. The notorious threat group has long conducted espionage activities against military entities and defence ministries in multiple countries for economic and political gains of Russia.
The group is also thought to have infiltrated the networks of the Democratic National Committee (the governing body of the US Democratic Party) in 2016. Nearly two years after that intrusion, the US Department of Justice linked Pawn Storm with Russia's Main Intelligence Directorate of the Russian General Staff.
Trend Micro is advising organisations to regularly monitor their infrastructure for unusual access patterns and to patch their systems as soon as possible.
Organisations must also educate their employees not to click on links or open attached files in unexpected emails.
The first attack was launched last month, and the compromise is still on-going
Eighty-five per cent of Microsoft Exchange Servers vulnerable to remote-code execution security flaw patched last month
Organisations warned to patch protect against CVE-2020-0688 as state-backed APTs start targeting vulnerable Exchange Servers
The watering-hole attacks might be on-going for the past several months, the researchers warn
ENTSO-E's members include 42 electric transmission industry operators across 35 European countries
Redcar and Cleveland Council expelled public and press from council meeting discussing ransomware outbreak
Public and press thrown-out of resources committee meeting last week because ‘sensitive’ information about ransomware attack would be discussed