Russian hacking group Sednit is behind the attacks

Jul 14, 2015 09:33 GMT  ·  By

Operation Pawn Storm, a group of hackers specialized in cyber-espionage, was detected using a Java zero-day vulnerability on the armed forces of a certain NATO member and a US defense organization, as Trend Micro reports.

Pawn Storm, also known as APT28, Sofacy or Sednit, have been active since 2007, but became notorious after attacks in October 2014 on the Polish government, and in April 2015 on some NATO countries and the White House.

In this series of new attacks, Pawn Storm has been detected using a Java-based zero-day exploit, the first of its kind in the last two years.

According to Trend Micro only the latest Java version is affected, 1.8.0.45, and curiously, older versions like Java 1.6 and Java 1.7 are not affected.

First Java zero-day exploit detected in two years

Email messages were used to spread malicious URLs where the Java exploit was hosted, and once accessed the file JAVA_DLOADR.EFD deliveres TROJ_DROPPR.CXC, a basic Trojan dropper.

This file then places SPY_FAKEMS.C to the "/login user" folder, from where "it executes arbitrary code on the default Java settings thus compromising the security of the system," as Trend Micro security experts explain.

The Trend Micro team did not disclose the name of the NATO country and the US defense organization where the attack was sighted, but they announced they have some products that can already detect and warn against this issue.

Oracle was informed of the problem and is working on a fix.

The cyber-espionage component is evident

Operation Pawn Storm has been known to vary its attacks, using different tactics in the past, from targeting air-gapped devices in November 2014, to using malware on iOS devices this February, and even basic phishing with the White House attacks.

The group, coincidentally or not, targets anti-Russian corporations and countries. At the same time Russia seems to have a problem with them, and many security experts weren't shy to link the group to the Russian government itself.

Just this May, while the US and its allies were preparing to extend the economic sanctions on the Russian government for an extra six months, root9BTechnologies exposed a major Pawn Storm attack on the world's largest financial institutions.

We're not going to say it without any proof, but you be the judge. Is it coincidence or not? We tend to think not.