The relentless and persistent threat actor known as Pawn Storm, also called APT28 and Forest Blizzard, has been using the same tactics, techniques, and procedures (TTPs) in its campaigns, often targeting hundreds of individuals within a single organization. Despite their apparent lack of sophistication, these campaigns have enabled Pawn Storm to compromise thousands of email accounts and carry out advanced post-exploitation actions.
From April 2022 to November 2023, Pawn Storm attempted to launch NTLMv2 hash relay attacks on various government departments, such as foreign affairs, energy, defense, transportation, and more. These attacks have targeted organizations across multiple regions and industries, including the defense industry, energy, transportation, and military forces.
The group’s post-exploitation activities include modifying folder permissions in victim mailboxes for enhanced persistence and using the victim’s email accounts to facilitate lateral movement within the organization. As a result, Pawn Storm’s targets span a wide range of tools and industries across different regions of the world.