Russian Spy-Group Tried Hacking MH17 Investigation

A Cyber-spy group is reported to have attempted to hack the Dutch Safety Board officials’ computers tasked with the MH17 air crash investigation.

Pawn Storm, a Russian spy group believed to have close connections with the Russian government reportedly targeted the Dutch agency before and after the safety board published their detailed report on the MH17 incident on October 13, 2015, Trend Micro reported on its website October 22.

“Pawn Storm has a long history of targeting government agencies and private organizations to steal sensitive information. Our most recent findings show that they targeted the international investigation team of the MH17 plane crash from different sides,” the company said.

Trend Micro believes that a fake server mimicking an SFTP server of the Dutch agency was set up on September 28, 2015, later a fake VPN server of the same organization was set up on October 14, 2015. These were used for credential phishing attacks against the personnel of the safety board to get unauthorized access to both the SFTP and the VPN server.

The Trendlabs Security blog said this was the first time that they have seen direct evidence of an APT group attempting to get unauthorized access to a VPN server.

“The VPN server of the Safety Board looks to use temporary tokens for authentication. However, these tokens can be phished in a straightforward way and tokens alone do not protect against one-time unauthorized access by third parties, once the target falls for the phishing attack,” the website said.

The attacks weren’t limited to the Dutch Safety Board. On September 29 2015, a fake Outlook Web Access (OWA) server was set up to target an important partner of the Dutch Safety Board in the MH17 investigation. We were able to warn the affected party in a very early stage, thus probably preventing the attack to succeed.

These discoveries show that it is very likely that Pawn Storm coordinated attacks against different organizations to get sensitive information on the MH17 plane crash.

In a press release, Trend Micro said it notified the safety board before any information was accessed.

Speaking to AFP, a spokeswoman for the Dutch Safety Board said the cyber incidents had been uncovered, but did not provide details on who they thought the perpetrators were. She also said there was "no evidence" the efforts had succeeded.

In the past, the group is believed to have carried out attacks against the White House, NATO, and Syrian opposition. Trend Micro reported that Pawn Storm is boosting its attack efforts targeting the Syrian groups, along with other countries in the region that have spoken out against Russia.

The MH17 flight was brought down with a high degree of accuracy last July 17 killing 298 passengers onboard.  The results of the investigation was released in October this year.

The official report concluded that Malaysia Airlines flight MH17 was shot down by a Russian-made BUK missile fired from rebel-held eastern Ukraine.

The report rejected Moscow's contention that the plane was hit by a missile fired by Ukrainian troops as it flew at some 33,000 feet above the territory.

The report said, "The investigation was not concerned with question of blame or liability. Answering those question is a matter for the criminal investigation."