Full Report
Government agencies and non-governmental organizations in the United States have become the target of a nascent China state threat actor known as Storm-2077. The adversary, believed to be active since at least January 2024, has also conducted cyber attacks against the Defense Industrial Base (DIB), aviation, telecommunications, and financial and legal services across the world, Microsoft said.
Analysis Summary
# Storm-2077 Threat Intelligence Summary
## Main Topic
A nascent Chinese state-sponsored threat actor, tracked as **Storm-2077**, has been actively targeting government agencies and non-governmental organizations (NGOs) in the United States since at least January 2024. This group has also extended its operations globally against the Defense Industrial Base (DIB), aviation, telecommunications, and financial and legal services sectors.
## Key Points
- Storm-2077's activity overlaps with a threat group known as **TAG-100** tracked by Recorded Future's Insikt Group.
- Initial access often involves targeting internet-facing edge devices using publicly available exploits.
- Post-exploitation often involves deploying sophisticated tools like **Cobalt Strike** alongside open-source malware such as **Pantegana** and **Spark RAT**.
- A primary objective appears to be intelligence gathering, specifically by harvesting credentials for eDiscovery applications to exfiltrate sensitive emails.
- In cloud environments, Storm-2077 has been observed gaining access by harvesting credentials from compromised endpoints, followed by creating their own application with mail read rights.
## Threat Actors
- **Storm-2077**: Identified as a new China state threat actor.
- **Overlaps with TAG-100**: The cluster of activity aligns with the group tracked by Recorded Future's Insikt Group.
## TTPs
- **Initial Access**: Exploiting publicly available vulnerabilities on internet-facing edge devices.
- **Execution/Persistence**: Dropping Cobalt Strike and deploying open-source malware (Pantegana, Spark RAT).
- **Credential Harvesting**: Phishing emails targeting valid credentials for eDiscovery applications.
- **Lateral Movement/Cloud Access**: Harvesting credentials from compromised endpoints to gain administrative access to cloud environments.
- **Data Exfiltration**: Exfiltrating emails harvested via compromised eDiscovery tools or created cloud application permissions (mail read rights).
## Affected Systems
- **Geographic/Sectoral Targets**: United States Government Agencies, NGOs, Defense Industrial Base (DIB), Aviation, Telecommunications, Financial Services, and Legal Services globally.
- **Initial Points of Compromise**: Various internet-facing edge devices.
- **Cloud Environments**: Attackers target cloud environments after compromising endpoints.
- **Application Targets**: eDiscovery applications for email exfiltration.
## Mitigations
*Since the provided context focuses only on detection and activity rather than specific patches or official vendor mitigations, general defensive strategies based on the observed TTPs are inferred:*
- Harden and patch internet-facing edge devices to prevent initial exploitation.
- Monitor for the deployment of Cobalt Strike, Pantegana, and Spark RAT.
- Implement multi-factor authentication (MFA) universally, especially for cloud access and eDiscovery platforms.
- Audit cloud environments for newly created unauthorized applications, particularly those holding broad mail read permissions.
- Enhance monitoring for credential harvesting via phishing that targets specific application access.
## Conclusion
Storm-2077 represents a developed, state-sponsored actor utilizing a blend of commodity and custom tactics to achieve intelligence objectives, particularly targeting sensitive sectors in the US and globally. Organizations should prioritize securing edge devices and rigorously monitoring cloud service configurations for unauthorized access methods observed in this campaign.