Full Report
Researchers from Microsoft have detected cyberattacks being launched by a group, called Storm-2372, which it assesses with medium... The post Microsoft details Russia-linked cyberattacks by Storm-2372 targeting governments, NGOs, critical infrastructure appeared first on Industrial Cyber.
Analysis Summary
# Threat Actor: Storm-2372
## Attribution & Identity
Storm-2372 is a threat actor that Microsoft assesses with medium confidence aligns with Russia’s interests and tradecraft.
## Activity Summary
Storm-2372 has been active since August 2024, conducting sophisticated phishing campaigns focused on credential and token theft, specifically leveraging the device code sign-in flow. The initial phase of their operations involved rapport-building via third-party messaging services (WhatsApp, Signal, Microsoft Teams) by impersonating prominent individuals relevant to the target. This was followed by phishing emails containing links that lured victims into completing a device code authentication request, masquerading as a legitimate sign-in experience. Once initial access is gained via token harvesting, the actor moves laterally by sending further device code phishing links to other users via intra-organizational emails originating from the compromised account. Their objectives appear focused on data collection, particularly email harvesting.
## Tactics, Techniques & Procedures
- **Initial Access:** Rapport building through social engineering via third-party messaging services (WhatsApp, Signal, Teams), impersonating relevant prominent figures.
- **Credential/Token Harvesting:** Exploitation of the **device code authentication flow** to capture authentication (access) and refresh tokens by tricking targets into entering a device code generated by the actor into a legitimate sign-in page emulating a messaging service.
- **Persistence/Lateral Movement:** Utilizing phished refresh tokens to register an actor-controlled device within Entra ID using the Microsoft Authentication Broker client ID, allowing them to obtain a Primary Refresh Token (PRT). This grants persistent access as long as the tokens are valid.
- **Data Collection:** Using compromised accounts, the actor leverages **Microsoft Graph** Search API (using keywords like `username`, `password`, `admin`, `credentials`, etc.) for reconnaissance within emails, followed by email exfiltration via Microsoft Graph.
- **Evasion:** Using proxies that are situationally and regionally appropriate for the targets to conceal suspicious sign-in activity.
- **MITRE ATT&CK IDs (Implied by TTPs):** T1566.001 (Spearphishing Attachment/Link), T1555.003 (Credentials from Web Session Cookie/Token).
## Targeting
- **Sectors:** Governments, Non-Governmental Organizations (NGOs), Information Technology (IT) services and technology, Defense, Telecommunications, Health, Higher Education, and Energy/Oil and Gas.
- **Geography:** Europe, North America, Africa, and the Middle East.
- **Victims:** Not specified individually in the provided text.
## Tools & Infrastructure
- **Malware Families Used:** None explicitly named, but the primary mechanism relies on token theft and graph API manipulation rather than traditional malware binaries.
- **Infrastructure:** Uses Microsoft Entra ID services (Microsoft Authentication Broker) and Microsoft Graph API for operations. Employs regionally appropriate proxies for C2/activity masking.
## Implications
Storm-2372 utilizes advanced, token-based authentication abuse techniques specifically designed to bypass traditional password entry and potentially evade common MFA mechanisms, granting them deep, persistent access to cloud environments and sensitive data (emails). Their consistent targeting of critical infrastructure and government sectors suggests espionage or strategic disruption aligned with state interests.
## Mitigations
- Implement robust **Multifactor Authentication (MFA)**, especially **phishing-resistant** methods (avoiding telephony-based MFA).
- Centralize identity management (e.g., Microsoft Entra) and ensure all identity access logs are fed into a SIEM for centralized monitoring.
- Configure Entra ID machine learning models to better differentiate legitimate vs. malicious access patterns.
- Enforce the **Principle of Least Privilege** and continuously audit privileged account activity.
- Strictly manage device registration and access boundaries, selectively synchronizing high-privileged accounts between on-premises and cloud environments.