January 31, 2024 at 03:00AM
Pawn Storm, also known as APT28 and Forest Blizzard, has been utilizing brute force and stealth tactics to launch NTLMv2 hash relay attacks against high-value targets, particularly government departments, from April 2022 to November 2023. The group’s aggressive and repetitive spear-phishing campaigns mask their advanced and stealthy post-exploitation actions, often using anonymization layers and compromised email accounts.
Based on the meeting notes, Pawn Storm, also known as APT28 and Forest Blizzard, has been targeting high-value organizations and government departments through their persistent attempts to launch NTLMv2 hash relay attacks. Their methods involve a combination of brute force and stealth techniques, demonstrating a level of sophistication and determination in their cyber attacks.
Pawn Storm’s extensive use of anonymization layers, including VPN services, Tor, compromised EdgeOS routers, and free web hosting services, allows them to obscure their tracks and carry out their malicious activities more covertly. The threat actor has been observed using various technical tricks and infrastructure, some of which have persisted for over a decade, contributing to their advanced and stealthy nature.
Furthermore, Pawn Storm’s activities have extended beyond traditional phishing campaigns, incorporating more elaborate methods such as the exploitation of vulnerabilities in Outlook and WinRAR, as well as the deployment of information stealers without a command-and-control (C&C) server.
The group has displayed a global reach, targeting organizations and entities in Europe, North America, South America, Asia, Africa, and the Middle East, spanning across government, defense, energy, transportation, and other sectors. These operations indicate a sustained and widespread threat to high-profile targets.
In conclusion, Pawn Storm’s multi-faceted approach, from NTLMv2 hash relay attacks to the use of anonymization layers and advanced phishing campaigns, underscores their capability to persistently and aggressively infiltrate networks, posing a significant challenge to network defenders. The detailed technical analysis and indicators of compromise provided in the meeting notes serve as a valuable resource for organizations to enhance their defenses against Pawn Storm’s persistent and advanced threats.