The Pawn Storm APT group which is known for their attacks on the research council of MH17, attacks on various ministries of foreign affairs, attacks on government agencies and NATO members.
The Pawn Storm APT group is also known by the following names:
- Sofacy
- Sednit
- APT28
- Strontium
The command and control servers which were found by Palo Alto:
- 191.101.31.6
- munimonoce[.]com
- wscapi[.]com
- tabsync[.]net
- storsvc[.]org
- servicecdp[.]com
In their latest attack, they targeted the United States, Palo Alto did not specify which agency was attacked, but they were able to share the following about the attack:
On May 28, 2016, attackers sent a spear-phishing e-mail to a U.S. government entity using an email address belonging to the Ministry of Foreign Affairs of another country.
They state that the system which had send the email had probably been hacked in order to process malicious commands:
Analysis of the attack revealed a high likelihood that the sender’s email address was not spoofed and is instead a result of a compromised host or account belonging to that Ministry.
Palo Alto continues to explain that the found attack uses google.com as a beacon:
The Trojan delivered in this attack contains two network locations that it will send network beacons to, specifically “google.com” and “191.101.31.6”.
They also state that the attackers use this method in order to hide their true command and control beacons which are sent to 191.101.31.6.