Overview :globe_with_meridians:

Storm-0558, identified as a China-based threat actor, has been active with espionage-focused objectives. Their strategies include unauthorized email access targeting multiple organizations, including government agencies. Microsoft, during its extensive investigation into the threat actor’s activities, has taken several measures to counteract their actions and safeguard its users.

Key Highlights: :mag:

  • Origins: :round_pushpin: China
  • Active Since: :calendar: At least 2021
  • Primary Targets: :dart: US and European diplomatic bodies, economic entities, legislative governing bodies, individuals with ties to Taiwan and Uyghur geopolitical interests, media companies, think tanks, and telecommunications service providers.
  • Main Objectives: :dart: Unauthorized email access, credential harvesting, and intellectual property theft.

Tactics and Techniques: :crossed_swords:

Attack Vectors:

  • Email Access: :e-mail: Leveraged forged authentication tokens to access user emails.
  • OAuth Attacks: :link: Displayed interest in OAuth applications, token theft, and token replay against Microsoft accounts.
  • Phishing Campaigns: :fishing_pole_and_fish: Historically, Storm-0558 has used phishing campaigns to obtain initial access credentials.

Tools and Malware:

  • Web Shells: :earth_africa: Deployment of web shells on compromised servers, notably China Chopper.
  • Malware Family: :microbe: One prevalent malware family is tracked by Microsoft as Cigril, launched using dynamic-link library (DLL) search order hijacking.

Operational Security:

  • :shield: Display high technical tradecraft and security.
  • :closed_lock_with_key: Awareness of targets’ logging policies, authentication requirements, policies, and procedures.

Historical Activity: :hourglass_flowing_sand:

  • Primary Interests: :newspaper: Targeting media companies, think tanks, telecommunication equipment, and service providers. Historically, during the period 2021 to 2023, there has been a significant increase in their interest in media companies and think tanks.
  • Campaign Objectives: :dart: Mostly to gain unauthorized access to email accounts.
  • Technical Awareness: :bulb: Storm-0558 is technically adept and understands various authentication techniques and applications. Their proficiency has grown over the years, indicating consistent research and development efforts.

Microsoft’s Response: :shield:

Upon identification of Storm-0558’s malicious campaigns, Microsoft implemented measures such as:

  • :mag: Root cause analysis.
  • :round_pushpin: Durable tracking of the campaign.
  • :x: Disrupting malicious activities.
  • :european_castle: Hardening environments.
  • :envelope_with_arrow: Notifications to impacted customers.
  • :handshake: Collaboration with multiple government entities.