Since at least 2004, the party is often referred to as APT28, Sednit, Fancy Bear and Strontium, and claimed to be funded by the Russian GRU Intelligence Service. The adversary is alleged to have coordinated assaults on Russia, NATO, and the DNC in the run-up to the 2016 vote in the United States. Throughout years, Pawn Storm focused on phishing to obtain exposure to networks of interest. Still, Trend Micro noticed a change in strategies, methods, and procedures (TTP) in May 2019, when the company began utilizing compromised high-profile email addresses to deliver password phishing emails. The system was used both in 2019 and 2020, with the most abuse of email addresses belonging to military contractors in the Middle East. Many victims were found in the travel, infrastructure, and government sectors. Last year, the community also investigated email servers and Microsoft Exchange Autodiscover services worldwide, primarily hitting TCP port 443, IMAP ports 143 and 993, POP3 ports 110 and 995, and SMTP ports 465 and 587. These attacks may have been targeted at finding insecure frameworks for brute-force authentication, exfiltrating addresses, and sending out spam. Around August and November 2019, the organization attacked security forces, arms contractors, states, law firms, political parties, and colleges, as well as private schools in France and the United Kingdom, and kindergartens in Germany. Throughout November and December 2019, attackers used the same IP address for hosting websites and testing networks with exposed 445 and 1433 ports, possibly to identify compromised servers operating Microsoft SQL Server and Directory Services. Throughout 2017 and 2019, Pawn Storm conducted several login phishing attacks from their websites, including malware floods targeting webmail companies in the United States, Russia, and Iran, according to security analysts.
