A closely watched band of suspected Russian hackers have spied on domestic targets, including two members of the outspoken punk rock band Pussy Riot.
Trend Micro said the group, which it refers to as Pawn Storm, has also targeted a software developer in Russia, politicians, artists and journalists in the country.
“Pawn Storm’s targets have mostly been external political entities outside of Russia, but after our analysis we found that a great deal of targets can actually be found within the country’s borders,” wrote Feike Hacquebord, a Trend Micro threat researcher, in a blog post on Tuesday.
Trend came to its conclusion by studying phishing campaigns conducted by Pawn Storm. The group distributes its malware through emails which seek to trick users into clicking on malicious files or links.
It analyzed 12,000 phishing attacks, which sought to steal login credentials, from 2014 and this year. That made it possible “to derive reliable statistics on Pawn Storm targets worldwide,” Hacquebord wrote.
Other security companies, including FireEye, have kept an eye on Pawn Storm over the years. FireEye, which named it APT (advanced persistent threat) 28, said in October it suspected the group was in Russia.
FireEye said much of the group’s malware was set to a Russian language setting, and its working patterns adhered to business hours in Moscow.
Pawn Storm has been active for at least seven years and in the past has focused on geopolitical targets relating to the Caucasus region, Europe and its neighbor, Georgia.
Hacquebord wrote the latest analysis showed two members of the band Pussy Riot have been targeted, as well as a popular Russian rock star.
Russia imprisoned three members of Pussy Riot after they staged an impromptu performance in a Moscow church in early 2012. The group has been highly critical of the Russian government, and their sentences drew worldwide condemnation.
In one another instance, Pawn Storm targeted an active Russian military attache working in a NATO county, which “makes the spies’ motivations even more intriguing,” Hacquebord wrote.
The locations of the top three most targeted people were Ukraine, followed by the U.S. and U.K. In the U.S., Pawn Storm typically pursues the country’s military and affiliated defense companies although it is also interested in energy research, think tanks and academics, he wrote.
Last month, the group attacked high-profile people who use Yahoo’s free email system. The phishing emails were written as if they were notifications from Yahoo for an opt-in program that would improve the deliverability of their email, Hacquebord wrote.
But if users clicked on the link in the email, they unknowingly granted access to their accounts to the attackers using OAuth. OAuth is a protocol for logging into other services using account credentials from another.
“When Yahoo users would opt in, Pawn Storm would get unfettered access to the mailbox,” he wrote.