Pawn Storm (aka Fancy Bear) has been attempting to phish webmail accounts for many years now, targeting U.S. senators and political organizations across the world, according to a recent Trend Micro report (PDF).
Those include international and military organizations, Ministry of Defenses, Ministry of Foreign Affairs, intelligence units and defense contractors that provide IT services and engineering/robotics design for the U.S. government.
Reports of a campaign targeting the U.S. Senate comes amid the release of a separate Minority Staff Report (PDF) detailing the need to secure the 2018 and 2020 U.S. elections against foreign state hacking.
Phishing sites were set up last June to mimic the Senate's Active Directory Federation Services (ADFS) server, according to BankInfoSecurity. The server provides single sign-on access to multiple organizations' systems and applications.
While the U.S. Senate's ADFS server isn't Internet-facing, phishing their users' credentials can help attackers move laterally and target high-profile users of interest.
Additional Threat Techniques
The report describes the use of 'tabnabbing.' The hacking group sends an email to a user with a link - when the user clicks on it, it opens into a new tab, showing a legitimate news or conference website. The user's other tab, their webmail, is changed via JavaScript to a phishing site, prompting the user to log in again due to an expired session.
Another technique involves using stolen DNS administrator credentials to compromise the DNS settings of mail servers, changing them to point to a foreign server, according to Trend Micro. This allows an attacker to receive all incoming mail that would normally be sent to the victim organization. The Ministry of Foreign Affairs in an Eastern European country was the target of one such attack.
Finally, an analysis of the spear phishing email headers shows that the group's content strategy centers around using recent, newsworthy events to entice users to open the email messages.
Mitigation Recommendations
While two-factor authentication (2FA) can help stop attackers from logging into accounts with phished credentials, it's important to use the most secure method available.
SMS-based 2FA can be easily phished, rendering it less secure than using a physical security key to verify your identity before logging into webmail or other applications. An attacker would need physical access to your security key and laptop in order to compromise this method of authentication.
U2F, or Universal 2nd Factor, is an authentication standard developed by the FIDO (Fast IDentity Online) Alliance that uses strong public key cryptography to secure login access - it's been deployed by Facebook, Gmail, Salesforce.com, the U.K. government and many others, as noted by Yubico.
The method allows a user to tap a USB device plugged into their laptop to quickly and securely log in, protecting against phishing, man-in-the-middle and other threats. This method uses something you have to verify your identity.
Additional methods may include biometrics-based authentication, such as fingerprint ID, which has been integrated into consumer products such as iPhones and Android devices. This adds another layer of security to verify your identity through a different factor, known as something you are.
While phishing can work to steal passwords, malicious emails can also contain malware attachments used to infect and compromise devices. Users that log into your networks with infected devices can introduce new risks, and allow attackers entry. Endpoint security solutions can help you identify risky devices, encourage users to remediate, and block devices from logging into your company resources. When it comes to security protection, organizations need to ensure the trust of both users and their devices before granting them access.