What is Storm-0978 (RomCom)?

Estimated read time 2 min read

Storm-0978, this Advanced Persistent Threat (APT) group has been linked to a series of high-profile cyber-espionage campaigns. But who are they, and what are their motives? Let’s delve into the storm.

The Identity of Storm-0978

Storm-0978, as it’s known in the cybersecurity community, is a highly sophisticated APT group. Its origins are still a subject of ongoing investigation, but the group’s tactics, techniques, and procedures (TTPs) suggest a well-funded and organized entity.

Microsoft’s Threat Intelligence Center (MSTIC) has been tracking Storm-0978’s activities and has noted the group’s penchant for dual-purpose attacks. These attacks are designed not only to steal sensitive information but also to disrupt operations and cause financial damage.

The Motives: Espionage and Financial Gain

Storm-0978’s motives appear to be twofold. On one hand, they are engaged in cyber espionage, targeting specific industries and organizations to gather intelligence. On the other hand, they are also driven by financial gain, as evidenced by their attacks on financial institutions and cryptocurrency exchanges.

Storm-0978 lure document with Ukrainian World Congress and NATO content | Picture by Microsoft TI team
Storm-0978 lure document with Ukrainian World Congress and NATO content | Picture by Microsoft TI team

One of the group’s most notable campaigns targeted Ukraine and NATO membership talks at the NATO summit. This operation, dubbed “RomCom” by BlackBerry researchers, was a clear demonstration of the group’s espionage capabilities. The attackers used spear-phishing emails to trick their targets into revealing sensitive information, a tactic that is a hallmark of APT groups.

The Tactics: A Blend of Old and New

Storm-0978’s modus operandi is a blend of traditional and innovative tactics. They use spear-phishing emails, watering hole attacks, and exploit kits to gain initial access to their targets. Once inside, they deploy custom malware to maintain persistence and move laterally within the network.

One of the group’s unique traits is their use of living-off-the-land (LOTL) techniques. They leverage legitimate tools and processes already present in the victim’s environment to avoid detection and blend in with normal network activity.

Reza Rafati https://cyberwarzone.com

Reza Rafati, based in the Netherlands, is the founder of Cyberwarzone.com. An industry professional providing insightful commentary on infosec, cybercrime, cyberwar, and threat intelligence, Reza dedicates his work to bolster digital defenses and promote cyber awareness.

You May Also Like

More From Author