The Storm-0558 hackers managed to successfully target approximately 25 organizations, including government agencies, and potentially compromised related consumer accounts before their activities were thwarted.
Microsoft has recently uncovered a sophisticated intrusion campaign carried out by a China-based threat actor, identified as Storm-0558. This campaign successfully gained access to email accounts, impacting approximately 25 organizations, including government agencies, and potentially compromising related consumer accounts.
Sophisticated Threat Actors Targeting IT Systems
As cyberattacks grow increasingly sophisticated and frequent, motivated threat actors spare no effort in compromising IT systems. These well-resourced adversaries, such as Storm-0558, show no distinction between targeting business or personal accounts associated with their intended organizations.
Storm-0558, identified as an espionage-motivated adversary based in China, primarily focuses on gaining access to email systems for intelligence collection, abusing credentials to access data in sensitive systems.
Mitigation Efforts and Investigation Timeline
Microsoft’s proactive investigation commenced on June 16, 2023, following reports of anomalous mail activity from customers. Over the course of a few weeks, the investigation revealed that Storm-0558 had gained unauthorized access to email data from approximately 25 organizations.
The threat actor infiltrated both organisational and associated consumer accounts using forged authentication tokens and an acquired Microsoft account (MSA) consumer signing key. However, Microsoft has successfully completed the mitigation process for all affected customers, and no further access has been detected.
Coordinated Response and Collaborative Efforts
Microsoft’s real-time investigation, combined with its collaboration with impacted customers, proved crucial in swiftly applying protections within the Microsoft Cloud to defend against Storm-0558’s intrusion attempts.
The company promptly contacted affected customers, providing support and guidance throughout the incident. Recognizing the gravity of the situation, Microsoft has also partnered with relevant government agencies, including the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (DHS CISA), to ensure a coordinated response and enhance overall cybersecurity resilience.
In a comment to Hackread.com, Shobhit Gautam, Solutions Architect, EMEA at HackerOne said that “Storm-0558, speculated to be a state-sponsored actor, is also known to use custom malware such as Cigril and Bling for the purpose of espionage.”
“Exploiting vulnerabilities in the supplier network has become a key tactic in the attacker’s playbook and The best way to identify complex vulnerability risk is to take an outsider’s mindset that looks at how an attacker might make use of a variety of weaknesses to chain together to have a far more powerful impact,” Gautam warned.
Takeaway
The evolving cyber threat landscape constantly poses challenges, particularly with speculated state-sponsored actors like Storm-0558 actively exploiting vulnerabilities in IT systems. Adding to the growing concerns, recent weeks have witnessed two additional reports of sophisticated malicious activities originating from China.
On June 23rd, researchers from Check Point reported a targeted campaign by the Chinese APT group Mustang Panda, also known as Camaro Dragon, involving espionage malware. The campaign specifically targeted the European healthcare sector through the use of USB drives.
Continuing their investigation, Check Point published another report on July 5th, highlighting the escalating interest of Chinese threat actors in targeting European governments, embassies, and entities involved in foreign policy-making. Mustang Panda once again emerged as the group behind the campaign, utilizing a previously unseen malware dubbed SmugX.
Nevertheless, this incident serves as a harsh reminder for organizations to remain vigilant and implement robust security measures to safeguard against sophisticated threats in an ever-evolving digital world.