Spear phishers with suspected ties to Russian government spoof fake EFF domain, attack White House

The spear-phishing attempt appears to be part of "Pawn Storm," a massive attack that's been underway across the net for more than a month, and involved a rare zero-day (previously unknown) Java exploit.

The attackers, APT28, a group with longstanding suspected Russian government ties, used URLs at the domain "electronicfrontierfoundation.org" in their phishing emails (the Electronic Frontier Foundation can be found at eff.org). Pawn Storm has many targets, including the White House and NATO.

Oracle has patched the Java zero-day. Pawn Storm continues. To get good, practical advice on protecting yourself from this sort of cyber-attack, read EFF's Surveillance Self-Defense Kit.


Because this attack used the same path names, Java payloads, and Java exploit that have been used in other attacks associated with Pawn Storm, we can conclude that this attack is almost certainly being carried out by the same group responsible for the rest of the Pawn Storm attacks. Other security researchers have linked the Pawn Storm campaign with the original Sednit and Sofacy targeted malware campaigns–also known as "APT 28"–citing the fact that they use the same custom malware and have similar targets. In a 2014 paper the security company FireEye linked the "APT 28" group behind Sednit/Sofacy with the Russian Government (PDF) based on technical evidence, technical sophistication, and targets chosen. Drawing from these conclusions, it seems likely that the organization behind the fake-EFF phishing attack also has ties to the Russian government. Past attacks have targeted Russian dissidents and journalists, U.S. Defense Contractors, NATO forces, and White House staff. We do not know who the targets were for this particular attack, but it does not appear that it was EFF staff.


New Spear Phishing Campaign Pretends to be EFF
[Cooper Quintin/EFF]

(Icon: Pawn logo, The Pawn Language Logo)