Microsoft reveals Storm-0978 hackers target defense and government entities in Europe, North America
Software giant Microsoft has discovered a phishing campaign targeting defense and government entities in Europe and North America, exploiting CVE-2023-36884 vulnerability. Tracked as Storm-0978, the hacker campaign involves the abuse of CVE-2023-36884, which included a remote code execution vulnerability exploited before disclosure to Microsoft via Word documents, using lures related to the Ukrainian World Congress.
“Storm-0978 (DEV-0978; also referred to as RomCom, the name of their backdoor, by other vendors) is a cybercriminal group based out of Russia, known to conduct opportunistic ransomware and extortion-only operations, as well as targeted credential-gathering campaigns likely in support of intelligence operations,” Microsoft researchers wrote in a Tuesday blog post. “Storm-0978 operates, develops, and distributes the RomCom backdoor. The actor also deploys the Underground ransomware, which is closely related to the Industrial Spy ransomware first observed in the wild in May 2022. The actor’s latest campaign detected in June 2023 involved abuse of CVE-2023-36884 to deliver a backdoor with similarities to RomCom.”
The researchers added that Storm-0978 is known to target organizations with trojanized versions of popular legitimate software, leading to the installation of RomCom. “Storm-0978’s targeted operations have impacted government and military organizations primarily in Ukraine, as well as organizations in Europe and North America potentially involved in Ukrainian affairs. Identified ransomware attacks have impacted the telecommunications and finance industries, among others.”
Microsoft further identified that Storm-0978 conducted phishing operations with lures related to Ukrainian political affairs and targeting military and government bodies primarily in Europe. “Based on the post-compromise activity identified by Microsoft, Storm-0978 distributes backdoors to target organizations and may steal credentials to be used in later targeted operations.”
The researchers added that the hacker’s “ransomware activity, in contrast, has been largely opportunistic in nature and entirely separate from espionage-focused targets. Identified attacks have impacted the telecommunications and finance industries.”
In financially motivated attacks involving ransomware, Storm-0978 uses the Industrial Spy ransomware, a strain first observed in the wild last May, and the Underground ransomware, the post disclosed. “The actor has also used the Trigona ransomware in at least one identified attack. Additionally, based on attributed phishing activity, Storm-0978 has acquired exploits targeting zero-day vulnerabilities. Identified exploit activity includes abuse of CVE-2023-36884, including a remote code execution vulnerability exploited via Microsoft Word documents in June 2023, as well as abuse of vulnerabilities contributing to a security feature bypass,” it added.
Microsoft revealed that in known ransomware intrusions, Storm-0978 accessed credentials by dumping password hashes from the Security Account Manager (SAM) using the Windows registry. “To access SAM, attackers must acquire SYSTEM-level privileges. Microsoft Defender for Endpoint detects this type of activity with alerts such as Export of SAM registry hive. Storm-0978 has then used the Impacket framework’s SMBExec and WMIExec functionalities for lateral movement.”
The post added that Microsoft linked Storm-0978 to previous management of the Industrial Spy ransomware market and crypter. “However, since as early as July 2023, Storm-0978 began to use a ransomware variant called Underground, which contains significant code overlaps with the Industrial Spy ransomware.”
The researchers also found code similarity between the two ransomware variants and Storm-0978’s previous involvement in Industrial Spy operations, which may indicate that Underground is a rebranding of the Industrial Spy ransomware.
Since late 2022, Microsoft has identified various Storm-0978 campaigns, likely driven by espionage-related motivations. Last month, they conducted a phishing campaign targeting defense and government entities in Europe and North America, targeting Ukrainian World Congress targets. The emails led to exploitation via the CVE-2023-36884 vulnerability.
“Notably, during this campaign, Microsoft identified concurrent, separate Storm-0978 ransomware activity against an unrelated target using the same initial payloads,” the post added. “The subsequent ransomware activity against a different victim profile further emphasizes the distinct motivations observed in Storm-0978 attacks.”
According to CERT-UA, Storm-0978 compromised a Ukrainian Ministry of Defense email account to send phishing emails last December. Identified lure PDFs attached to emails contained links to a threat actor-controlled website hosting information-stealing malware. Before that, in October, Storm-0978 created fake installer websites mimicking legitimate software and used them in phishing campaigns. The hacker targeted users at Ukrainian government and military organizations to deliver RomCom and was likely to obtain credentials of high-value targets.
In January, the U.K.’s National Cyber Security Centre (NCSC) disclosed that Russia-based SEABORGIUM and Iran-based TA453 hacker groups continue to use spear-phishing attacks against targeted organizations and individuals in the U.K., and other areas of interest, primarily for information gathering activity.
Related
