Russian hackers using stolen corporate email accounts to mask their phishing attempts

Trend Micro research reveals the Russian hacking group is resorting to simple tactics to fulfill its intelligence gathering mission.
fancy bear phishing email
(Getty Images)

Hackers working for Russian military intelligence have long relied on zero-days and malware to target their victims, but in the last year they’ve kept it simple — using previously hacked email accounts to send a wide array of phishing attempts, according to new research from security firm Trend Micro.

Since at least May of last year, the group known as Fancy Bear, APT28, or Pawn Storm, has used hacked email accounts belonging to high-profile personnel working at defense firms in the Middle East to carry out the operation, according to Feike Hacquebord, a senior threat researcher at Trend Micro.

“The actor connects to a dedicated server using the OpenVPN option of a commercial VPN provider and then uses compromised email credentials to send out credential spam via a commercial email service provider,” Hacquebord writes in the research.

The group, which the U.S. Department of Justice linked with Russia’s Main Intelligence Directorate of the Russian General Staff (GRU) two years after its 2016 intrusion at the Democratic National Committee, has long been focused on conducting espionage against defense ministries and military entities for Moscow’s political and economic gain.


But Fancy Bear has also been firing off phishing attempts using hacked email addresses from the government, financial, utilities, and transportation sectors in the United Arab Emirates, India, Pakistan, Jordan, and the U.S., according to Trend Micro, suggesting the group has plenty of previously successful compromises.

It isn’t clear why the Russian hacking group, which has been active since 2004, is willing to risk revealing some of their successful crusades in order to run these campaigns, Hacquebord said.

“Pawn Storm could be attempting to evade filtering at the cost of making some of their successful compromises known to security companies,” Hacquebord said. “However, we did not notice a significant change in successful inbox deliveries of the group’s spam campaigns, making it difficult to understand the rationale behind the change in methodology.”

Hacquebord said he suspects Trend Micro’s new findings suggest that Fancy Bear may rely on targeting techniques that don’t rely on malware, which may reveal how the the GRU carries out its plans.

Fancy Bear has not necessarily abandoned its use of malware to target its victims — the group was using malware last summer to target Central Asian nations, diplomatic entities, and foreign affairs organizations, as CyberScoop first reported. The group has also in recent months targeted sports-related organizations, particularly Olympics-linked entities in advance of the planned Tokyo Olympics in 2020, and may have used malware to do so, according to Microsoft research.


The group’s interest in using compromised emails to run its campaigns last year, however, has coincided with its attempts to exploit simple configurations of internet of things devices and office technology in order to breach privileged accounts.

How Russia stole account access

Trend Micro did not have full visibility into how exactly the Russian government gained use of the compromised email accounts used in these campaigns, but it’s possible Fancy Bear obtained access in a series of brute forcing incidents.

Last year, for instance, the group was probing email and Microsoft Exchange Autodiscover servers around the world in an attempt to brute force credentials and exfiltrate email data, according to Trend Micro. In mid-August, the company says the GRU expressed significant interest in an unidentified Middle Eastern government and South American military entity and conducted “large-scale” data exfiltration from both.

The group targeted a broad swath of entities around the world, not just government, military, and political organizations, but also IT companies, academia, law firms, and airports, according to Trend Micro.


In Europe and the U.S., the hackers have also been searching for vulnerable servers running Microsoft SQL Server and Directory Services.

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts