Full Report
In April 2020, Microsoft acquired Affirmed Networks. Sometime prior to that, Storm-0558 likely gained access to a device used by one of the company’s engineer, and retained that access following the acquisition, which allowed the threat actor to move laterally into Microsoft’s...
Analysis Summary
# Incident Report: Storm-0558 Compromise of Affirmed Networks Preceding Microsoft Acquisition
## Executive Summary
The threat actor group Storm-0558 likely compromised an engineer's device at Affirmed Networks prior to its acquisition by Microsoft in April 2020. This persistence allowed the threat actor to move laterally into Microsoft's corporate network post-acquisition, potentially leading to the compromise of a highly sensitive Microsoft signing key.
## Incident Details
- Discovery Date: Not explicitly stated (Implied ongoing threat leading to later discovery/impact).
- Incident Date: Prior to April 2020 (Initial access at Affirmed Networks). Continued post-April 2020 (Lateral movement into Microsoft environment).
- Affected Organization: Affirmed Networks (Initial subject), subsequently Microsoft (Lateral movement target).
- Sector: Technology/Networking Software.
- Geography: Not specified.
## Timeline of Events
### Initial Access
- Date/Time: Sometime prior to April 2020.
- Vector: Likely a compromised device belonging to an Affirmed Networks engineer.
- Details: Storm-0558 gained access to the engineer's device.
### Lateral Movement
- Date/Time: Likely post-April 2020 (after Microsoft acquisition).
- Vector: Retention of access from the initial compromise was leveraged to move laterally into Microsoft’s corporate environment.
- Details: Access was maintained across the organizational boundary change following the acquisition.
### Data Exfiltration/Impact
- Date/Time: Ongoing/Not fully detailed.
- Impact: Potential compromise of a Microsoft signing key. Credential theft observed according to the source material summary.
### Detection & Response
- Detection Date: Not specified in the context provided.
- Response Actions: Not specified in the context provided, other than observing credential theft techniques.
## Attack Methodology
- **Initial Access:** Likely phishing, malware, or exploitation targeting an engineer's device at Affirmed Networks.
- **Persistence:** Retained access following the Microsoft acquisition (implied account or system persistence).
- **Privilege Escalation:** Not specified, but necessary for lateral movement into the corporate environment.
- **Defense Evasion:** Not specified.
- **Credential Access:** Observed by the reporting/summary source (implied credential theft techniques were used).
- **Discovery:** Not specified.
- **Lateral Movement:** Gained access from the acquired entity's environment into the parent company's (Microsoft) network.
- **Collection:** Not specified beyond observations suggesting credential access.
- **Exfiltration:** Not specified, but data exfiltration was noted as observed in the summary table.
- **Impact:** Potential signing key compromise.
## Impact Assessment
- Financial: Not specified.
- Data Breach: Potential compromise of high-value assets, including cryptographic signing keys.
- Operational: Lateral movement into the corporate environment suggests operational risk.
- Reputational: Not specified.
## Indicators of Compromise
- *Note: No specific IoCs were provided in the source context.*
- Network indicators: [Defanged/Not Available]
- File indicators: [Not Available]
- Behavioral indicators: Lateral movement across organizational boundaries post-acquisition.
## Response Actions
- Containment measures: [Not specified in the provided context]
- Eradication steps: [Not specified in the provided context]
- Recovery actions: [Not specified in the provided context]
## Lessons Learned
- **Third-Party Risk:** Acquisitions introduce significant risk, as pre-existing compromises within the acquired entity can persist and map onto the acquiring organization's environment.
- **M&A Security Due Diligence:** Security posture and endpoint compromise status of acquired entities must be thoroughly vetted *before* close, or immediately post-close, to prevent inherited security debt.
- **Persistence Persistence:** Threat actors are highly motivated to maintain access across significant corporate changes (like acquisitions).
## Recommendations
- Implement enhanced auditing and access review immediately following any M&A activity, particularly focusing on endpoints and accounts migrating from the acquired entity.
- Conduct deep forensic scans of all migrated systems following acquisition, assuming a high potential for pre-existing persistence mechanisms.
- Review and rotate critical organizational security material (like cryptographic keys) if there is any indication that the acquired environment had persistent, low-level access to systems that interact with those assets.