Trend Micro Reveals Phishing Campaign Targeting US Senators

Trend Micro, a Japanese security company, published a report showing that the Pawn Atom / Fancy Bear cybercrime group has become increasingly aggressive in targeting political organizations and U.S. senators in the last few years.

Pawn Storm History

The first evidence of Pawn Storm’s activities was first seen in 2004, and for a decade its actions were quite stealthy. However, since Trend Micro took notice of the group in 2014, the company has published more than a dozen reports on the group’s activities.


The security company found that Pawn Storm prefers to use phishing to target political organizations and politicians and that its techniques haven’t evolved too much over the years. However, the attacks are well prepared, persistent, and difficult to defend against. Pawn Storm utilizes phishing mainly by taking advantage of known vulnerabilities that aren’t yet patched by their targets’ systems. Occasionally, it also uses zero-day software flaws.

The Pawn Storm group has been attacking political targets in France, Germany, Montenegro, Turkey, Ukraine, and the United States.

Cyber attack attribution is usually quite difficult, especially when dealing with sophisticated groups. There are many things such a group can do to hide its tracks, including impersonating other organizations, to trick or derail those investigating its attacks. However, many of the security experts looking at its attacks, as well as its targets, believe the group is tied to the Russian government.

Pawn Storm Targets U.S. Senate

Trend Micro recently discovered that the group has begun targeting the U.S. Senate internal email system, as well:

Beginning in June 2017, phishing sites were set up mimicking the ADFS (Active Directory Federation Services) of the U.S. Senate. By looking at the digital fingerprints of these phishing sites and comparing them with a large data set that spans almost five years, we can uniquely relate them to a couple of Pawn Storm incidents in 2016 and 2017.

The real ADFS server of the U.S. Senate is not reachable on the open internet, however phishing of users’ credentials on an ADFS server that is behind a firewall still makes sense. In case an actor already has a foothold in an organization after compromising one user account, credential phishing could help him get closer to high profile users of interest.

Senator Ron Wyden (D-OR), an outspoken member of the Senate Intelligence Committee, warned last spring that the Senate needs to adopt basic cybersecurity practices, such as two-factor authentication,  to protect the senators and their staffs when they access sensitive government systems. Senator Wyden was also responsible for the Senate adopting Signal, the end-to-end encrypted messenger, for secure communications.

Create a new thread in the UK News comments forum about this subject
This thread is closed for comments
1 comment
Comment from the forums
    Your comment
  • _lc_
    This is even older than Rome and the US keep abusing on this so much that one can barely see them doing anything else. Before JFK was murdered, the CIA sent an Oswald lookalike "on tour" to be seen travelling to Mexico. Luckily, he was photographed near an embassy. The photos made it clear that, while he looked a lot like him, it wasn't Oswald...
    Whenever the US points the finger at a poison gas attack in Syria, you can be almost sure that they had something to do with it.
    With the Internet, this has become so much simpler, to an extent where when you point the finger anybody who knows how "the internet" works, has to laugh at the face of such "accusations".
    Therefore, when it comes from the US it is safe to stick to the "he who smelt it" idiom. ;-)