A new brand of malware that could be tied to the Russian government is being used to spy on Western military officials, government workers and members of the media, according to new research from a prominent cybersecurity firm. Known as “Operation Pawn Storm,” the spyware first targeted Microsoft users about the time Russian troops invaded Ukraine, though it has now been discovered on Apple iOS devices.
Researchers at security firm Trend Micro first announced the news Wednesday, making it clear that the “active economic and political cyber-espionage operation” has now cast a much wider net. Infiltration of a high-level target using an iOS or Microsoft device could cost them their text messages, contact lists, pictures and location data. It could also automatically start voice recordings and steal other potentially sensitive material.
Hackers have tried to access victims’ devices with two apps: XAgent and Madcap, the latter of which borrows its name from an actual, popular iOS game.
Operation Pawn Storm is part of a large spearphishing effort, which involves trying to trick individuals into providing access to their device. It’s being conducted as part of the SEDNIT campaign, which a number of researchers have connected to Kremlin-backed hackers.
“The obvious goal of the SEDNIT-related spyware is to steal personal data, record audio, make screenshots, and send them to a remote command-and-control (C&C) server,” Trend Micro said in the announcement. “As of this publishing, the C&C server contacted by the iOS malware is live.”
Trend Micro stopped short of directly accusing the Russian government of being behind the attack but a number of other researchers said the malware is sophisticated enough to be tied to a nation state. It was first deployed in earnest in the months directly following Russia’s annexation of Crimea, which provoked international outrage and prompted U.S. sanctions that have targeted the Russian economy.
It was then that the organizations who were most likely to coordinate that response were targeted by Operation Pawn Storm, which first used Microsoft Outlook to try to breach potential victims’ devices. Among those targeted were individuals at the Organization for Security and Cooperation in Europe, the Science International Corporation and ACADEMI (the defense contractor formerly known as Blackwater).
“Our investigation into Pawn Storm has shown that the attackers have done their homework,” Jim Gogolinski, a senior researcher at Trend Micro, explained in a blog post last year. “Their choice of targets and the use of SEDNIT malware indicate the attackers are very experienced; SEDNIT has been designed to penetrate their targets’ defenses and remain persistent in order to capture as much information as they can.”