A Russian cyberespionage group known as Pawn Storm has adopted new tools in an ongoing attack campaign against defense contractors with the goal of defeating network isolation policies.
Pawn Storm, also known as Sofacy, after its primary malware tool, has been active since at least 2007 and has targeted governmental, security and military organizations from NATO member countries, as well as media organizations, Ukrainian political activists and Kremlin critics.
Since August, the group has been engaged in an ongoing attack campaign focused on defense contractors, according to security researchers from Kaspersky Lab.
During this operation, the group has used a new version of a backdoor program called AZZY and a new set of data-stealing modules. One of those modules monitors for USB storage devices plugged into the computer and steals files from them based on rules defined by the attackers.
The Kaspersky Lab researchers believe that this module’s goal is to defeat so-called network air gaps, network segments where sensitive data is stored and which are not connected to the Internet to limit their risk of compromise.
However, it’s fairly common for employees in organizations that use such network isolation policies to move data from air-gapped computers to their workstations using USB thumb drives.
Pawn Storm joins other sophisticated cyberespionage groups, like Equation and Flame, that are known to have used malware designed to defeat network air gaps.
“Over the last year, the Sofacy group has increased its activity almost tenfold when compared to previous years, becoming one of the most prolific, agile and dynamic threat actors in the arena,” the Kaspersky researchers said in a blog post. “This activity spiked in July 2015, when the group dropped two completely new exploits, an Office and Java zero-day.”