Full Report
Microsoft is calling attention to an emerging threat cluster it calls Storm-2372 that has been attributed to a new set of cyber attacks aimed at a variety of sectors since August 2024. The attacks have targeted government, non-governmental organizations (NGOs), information technology (IT) services and technology, defense, telecommunications, health, higher education, and energy/oil and gas
Analysis Summary
# Threat Actor: Storm-2372
## Attribution & Identity
Attributed to a new set of cyber attacks linked to Russian-linked hackers. No specific prior aliases are mentioned in the context provided.
## Activity Summary
Storm-2372 has been active since August 2024, executing cyber attacks primarily leveraging a sophisticated phishing technique known as 'device code phishing' to compromise productivity app accounts and exfiltrate data.
## Tactics, Techniques & Procedures
- Utilizing 'device code phishing' technique.
- Goal: To leverage authentication codes obtained via device code phishing to access target accounts and data. (Specific MITRE ATT&CK IDs were not provided in the source context.)
## Targeting
- Sectors: Government, Non-governmental organizations (NGOs), Information Technology (IT) services and technology, Defense, Telecommunications, Health, Higher education, Energy/Oil and gas.
- Geography: Not explicitly stated, but attribution suggests a Russian linkage.
- Victims: Focus on organizations within the enumerated sectors.
## Tools & Infrastructure
- Malware families used: Not specified.
- Infrastructure: Not specified.
## Implications
This actor presents a significant threat due to the adoption of the novel 'device code phishing' technique, designed to bypass standard authentication practices by hijacking the legitimate sign-in flow for productivity applications. This suggests potential high-level access and data theft capabilities against a diverse range of critical sectors.
## Mitigations
- Block the device code flow entirely via configuration policies.
- Enable phishing-resistant multi-factor authentication (MFA) for users.