The infamous Russian hacking group, APT28 or Pawn Storm have switched tactics over the past year. Their focus has switched to scanning for vulnerable email, Microsoft SQL Server and Directory Services servers.
The group, also known as Sednit, Sofacy, and Strontium have been behind some of the most audacious attacks in recent years. Under the control of their Kremlin overseers they were responsible for hacking the systems of WADA (world anti-doping agency) after the Russian backed doping scandal came to light.
They are also believed to be the group behind the theft of sensitive information from the Democratic National Committee DNC; something that Hilary Clinton has long claimed helped Donald Trump become President.
Their previous techniques focused on coordinated spear-phishing campaigns aimed at deploying malware onto the target organizations servers.
During the past year, however, Trend Micro claim that the group has been scanning and cataloguing port 443 for exposed email servers and Microsoft Exchange Autodiscover servers around the globe. They have also been scanning TCP ports 445 and 1433 to identify vulnerable global servers running Microsoft SQL Server and Directory services.
The report published by Trend Micro claims the group identify vulnerable servers then use brute force attempts to find credentials, email data, and then use this information for Spaming campaigns, often with malware attached.
By gaining access to high profile email accounts they then use that email account to execute attacks on the individuals contacts and network thereby building a netword of associated compromised accounts and computers.
Recipients of this unwanted attention include the usual suspects such as military and defense organizations, governments, political parties, law firms and universities.
More unusual targets included private schools in France and the UK and even a German kindergarten.
While the reason for the switch is unclear it emphasizes the importance of diligence when planning your network security.