Monday, May 5, 2025
HomeCyber Security NewsPawn Storm APT Launch Hash Relay Attacks on Government Departments

Pawn Storm APT Launch Hash Relay Attacks on Government Departments

Published on

SIEM as a Service

Follow Us on Google News

In the analysis by Trendmicro, they dissect the recent maneuvers of this advanced persistent threat (APT) actor, shedding light on its unyielding repetition of tactics and the intricate dance between its seemingly unsophisticated campaigns and the concealed sophistication within.

Known by aliases APT28 and Forest Blizzard, Pawn Storm’s resilience echoes through a decade-long saga of relentless cyber intrusions. 

While some may dismiss its aged phishing techniques, these campaigns, often targeting hundreds simultaneously, provide a nuanced understanding of the threat actor’s evolving infrastructure and more advanced exploits hidden beneath the surface.

- Advertisement - Google News
Document
Run Free ThreatScan on Your Mailbox

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .

Navigating the Noise – Net-NTLMv2 Hash Relay Attacks*

From April 2022 to November 2023, Pawn Storm orchestrated extensive Net-NTLMv2 hash relay attacks, creating peaks of activity against government entities in foreign affairs, energy, defense, and transportation. 

Is this relentless assault a mere display of noise or cost-efficient automation of brute-force attempts targeting global networks of governments and defense industries?

Trend Micro said that Pawn Storm employs a sophisticated array of anonymization tools, including VPN services, Tor, and compromised EdgeOS routers.

This cloak of anonymity extends to its spear-phishing emails, originating from compromised email accounts accessed through Tor or VPN exit nodes. 

The cyber chessboard expands with the integration of free services and URL shorteners, adding layers to its elusive presence.

Vulnerability Exploitation – CVE-2023-23397 Unveiled

March 2023 witnessed the exploitation of the critical Outlook vulnerability CVE-2023-23397 by Pawn Storm. 

Delivered through spear-phishing emails, this flaw allowed the attacker to launch Net-NTLMv2 hash relay attacks, persistently targeting Microsoft Exchange Servers within victim organizations. 

The chessboard evolves with the intricate moves of exploiting zero-day vulnerabilities.

In a revelation of subtlety, Pawn Storm deployed a streamlined information stealer in October 2022. 

This malicious attachment, devoid of a command-and-control server, autonomously exfiltrated data from embassies and high-profile targets. 

Spear phishing email
Spear phishing email

Spear-phishing email sent by Pawn Storm in October 2022 with a malicious attachment that installs a simple information stealer without a C&C server

The crude exterior conceals a methodical approach, with the stolen information discreetly uploaded to free file-sharing services, evading attribution.

Pawn Storm’s legacy extends beyond two decades, embodying both aggression and determination.

Its strategic evolution, from brute-force assaults to the deployment of zero-day vulnerabilities, challenges defenders to decipher the intricate moves on this digital chessboard. 

For network defenders seeking to fortify their defenses, the appendix offers an extensive list of indicators. 

Despite Pawn Storm’s use of shared IP addresses, the relatively slow changes in its tactics serve as a beacon for detecting the initial stages of compromise. 

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Gunra Ransomware’s Double‑Extortion Playbook and Global Impact

Gunra Ransomware, has surfaced as a formidable threat in April 2025, targeting Windows systems...

Hackers Exploit 21 Apps to Take Full Control of E-Commerce Servers

Cybersecurity firm Sansec has uncovered a sophisticated supply chain attack that has compromised 21...

Hackers Target HR Departments With Fake Resumes to Spread More_eggs Malware

The financially motivated threat group Venom Spider, also tracked as TA4557, has shifted its...

RomCom RAT Targets UK Organizations Through Compromised Customer Feedback Portals

The Russian-based threat group RomCom, also known as Storm-0978, Tropical Scorpius, and Void Rabisu,...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Gunra Ransomware’s Double‑Extortion Playbook and Global Impact

Gunra Ransomware, has surfaced as a formidable threat in April 2025, targeting Windows systems...

Hackers Exploit 21 Apps to Take Full Control of E-Commerce Servers

Cybersecurity firm Sansec has uncovered a sophisticated supply chain attack that has compromised 21...

Hackers Target HR Departments With Fake Resumes to Spread More_eggs Malware

The financially motivated threat group Venom Spider, also tracked as TA4557, has shifted its...