The Pawn Storm Russian cyberespionage group that frequently targets government institutions from NATO member countries tried to infiltrate the international investigation into the crash of Malaysia Airlines Flight 17 (MH17).
Security researchers from Trend Micro have found evidence that Pawn Storm, which has long been suspected to have ties to the Russian intelligence services, has targeted the Dutch Safety Board before and after the MH17 report was finalized.
On Sept. 28, the group set up a rogue SFTP server mimicking the one used by the Dutch Safety Board. On Oct. 14, the group did the same with a virtual private networking (VPN) server.
On Sept. 29, a fake Outlook Web Access (OWA) server was also created by the group to target a partner of the Dutch Safety Board in the MH17 investigation, the Trend Micro researchers said in a blog post Thursday.
It is likely that the rogue servers were set up with the goal of phishing login credentials from people involved in the MH17 crash investigation in order to obtain access to confidential information, the researchers said.
Even though the Dutch Safety Board’s real server uses temporary access tokens for authentication, those can be easily stolen and don’t protect against one-time fraudulent access, the researchers said.
Most of Pawn Storm’s attacks to date have reflected Russia’s geo-political interests. The group has recently intensified its campaigns against critics of the country’s intervention in the Syrian conflict.
Over the past two months several rogue OWA servers were set up to launch phishing attacks against the military and ministries of defense and foreign affairs of most Middle Eastern countries that oppose the Russian military campaign in Syria, the Trend Micro researchers said.