← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Two Years of Pawn Storm
WHITE Sofacy AlienVault 2017-04-25 Modified: 2017-04-25
95
IOCs
HIGH VOLUME
By Feike Hacquebord at Trend Micro. Pawn Storm is an active cyber espionage actor group that has been very aggressive and ambitious in recent years. The group’s activities show that foreign and domestic espionage and influence on geopolitics are the group’s main motives, and not financial gain. Its main targets are armed forces, the defense industry, news media, politicians, and dissidents. We can trace activities of Pawn Storm back to 20041 , and before our initial report in 20142 there wasn’t much published about this actor group. However, since then we have released more than a dozen detailed posts on Pawn Storm. This new report is an updated dissection of the group’s attacks and methodologies—something to help organizations gain a more comprehensive and current view of these processes and what can be done to defend against them.
FranceElectionsRussiaAPT28Fancy BearWikileaks
Indicators of Compromise (95)
All URL hostname domain IPv4
TYPEINDICATORDESCRIPTIONCREATED
URL http://help-yahoo-service.com/pw/reset.php 2017-04-25
URL http://poczta.mon.q0v.pl/owa/auth/expiredpassword.aspx?sid=JGVjVXJlcEBSQG1FdEVy 2017-04-25
URL http://poczta.mon.q0v.pl/auth/expiredpassword.aspx?sid=JGVjVXJlcEBSQG1FdEVy 2017-04-25
URL https://mail.academl.com/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fmail.academi.com%2fowa%2f&tids=lkdmfvlkd 2017-04-25
URL http://mail.academl.com/owa/auth/logon.aspx?replaceCurrent=1&url=https://mail.academi.com/owa/&tids=lkdmfvlkd 2017-04-25
URL https://accounts.g00qle.com/ServiceLogin/?continue=3Dhttps://security.google.com/settings/security/secureaccount 2017-04-25
URL http://accounts.g00qle.com/ServiceLogin/?continue=3Dhttps://security.google.com/settings/security/secureaccount&hl=3Den&sarp=3Dhttps://mail.google.com/mail/&docid=amVmZnJleS5maXNjaEBnbWFpbC5jb20=&refer=SmVmZnJleStGaXNjaGVy&tel=1 2017-04-25
URL http://accounts.g00qle.com/ServiceLogin/?continue=3Dhttps://security.google.com/settings/security/secureaccount 2017-04-25
URL http://account.password-google.com/EditPasswd?e=orysiaua@gmail.com&n=T3J5c2lh&fn=T3J5c2lhK0x1dHNldnljaA== 2017-04-25
URL http://account.password-google.com/EditPasswd?e=example@gmail.com&n=&fn= 2017-04-25
URL http://tas-cass.org/wpmedia.php?q=653g3g3446g4g4342 2017-04-25
hostname www.actblues.com 2017-04-25
hostname secure.actblues.com 2017-04-25
domain account-aljazeera.net 2017-04-25
domain actblues.com 2017-04-25
domain anadolu-ajansi.com 2017-04-25
domain dansa.bg 2017-04-25
domain exua.email 2017-04-25
domain fkit-mil.dk 2017-04-25
domain fortele.ro 2017-04-25
domain kasapp.de 2017-04-25
domain login-osce.org 2017-04-25
domain mail-aljazeera.net 2017-04-25
domain mail-gov.me 2017-04-25
domain mail-hurriyet.com 2017-04-25
domain mail-isea.ru 2017-04-25
domain mail-navy.ro 2017-04-25
domain mail-pims.org 2017-04-25
domain mail-skupstina.me 2017-04-25
domain mailmil.ae 2017-04-25
domain mailpho.com 2017-04-25
domain mobile-sanoma.net 2017-04-25
domain onedrive-en-marche.fr 2017-04-25
domain posta-hurriyet.com 2017-04-25
domain privacy-yahoo.com 2017-04-25
domain set121.com 2017-04-25
domain sset-aljazeera.com 2017-04-25
domain sset-aljazeera.net 2017-04-25
domain ssset-aljazeera.net 2017-04-25
domain support-cdu.de 2017-04-25
domain tas-cass.org 2017-04-25
domain webmail-cdu.de 2017-04-25
domain webmail-hurriyet.com 2017-04-25
domain webmail-mfa.am 2017-04-25
domain webmail-mil.dk 2017-04-25
domain webmail-mil.gr 2017-04-25
domain webmail-saic.com 2017-04-25
hostname account.password-google.com 2017-04-25
hostname accounts.g00qle.com 2017-04-25
hostname e-post.byegm.web.tr 2017-04-25
hostname e-posta.tbmm.qov.web.tr 2017-04-25
hostname email.mfa.qov.gs 2017-04-25
hostname eposta.basbakanlik.qov.web.tr 2017-04-25
hostname inside.wada-arna.org 2017-04-25
hostname link.candybober.info 2017-04-25
hostname login.accoounts-google.com 2017-04-25
hostname mail.academl.com 2017-04-25
hostname mail.anadoluajansi.web.tr 2017-04-25
hostname mail.armf.bg.message-id8665213.tk 2017-04-25
hostname mail.arnf.bg 2017-04-25
hostname mail.bostondynamlcs.com 2017-04-25
hostname mail.byegm.web.tr 2017-04-25
hostname mail.dca.qov.my 2017-04-25
hostname mail.fach.rnil.cl 2017-04-25
hostname mail.g0v.me 2017-04-25
hostname mail.hm.qov.hu 2017-04-25
hostname mail.kuwaitarmy.gov-kw.com 2017-04-25
hostname mail.mod.qov.af 2017-04-25
hostname mail.mod.qov.es 2017-04-25
hostname mail.moda.qov.sa.com 2017-04-25
hostname mail.mofa.g0v.qa 2017-04-25
hostname mail.rnil.am 2017-04-25
hostname mail.rsaf.qov.sa.com 2017-04-25
hostname mail.university-tartu.info 2017-04-25
hostname mail.wada-awa.org 2017-04-25
hostname mod.qov.al 2017-04-25
hostname myaccount.google.comchangepasswordmyaccountidx8jxcn4ufdmncudd.gq 2017-04-25
hostname myaccount.google.comsecuritysettingpage.gq 2017-04-25
hostname poczta.mon-gov.pl 2017-04-25
hostname poczta.mon.q0v.pl 2017-04-25
hostname security.service-facebook.com 2017-04-25
hostname sftp.onderzoekraad.nl 2017-04-25
hostname url.googlesetting.com 2017-04-25
hostname vpn.onderzoekraad.nl 2017-04-25
hostname web.mailmil.lv 2017-04-25
hostname webmail.exerclto.pt 2017-04-25
hostname webmail.mfa.qov.ae 2017-04-25
hostname webmail.mofa.qov.ae 2017-04-25
hostname webmail.westinqhousenuclear.com 2017-04-25
IPv4 185.82.202.102 2017-04-25
IPv4 193.169.244.35 2017-04-25
IPv4 46.166.162.90 2017-04-25
IPv4 46.183.217.74 2017-04-25
IPv4 80.255.3.94 2017-04-25
IPv4 87.121.52.145 2017-04-25
References (1)
↗ https://documents.trendmicro.com/assets/wp/wp-two-years-of-pawn-storm.pdf