- Microsoft says a new threat actor has started targeting critical infrastructure
- The group is linked to Silk Typhoon
- It engages in spear phishing and vulnerability exploitation
Storm-0227, a Chinese state-sponsored Advanced Persistent Threat (APT) actor, began targeting critical infrastructure organizations and government agencies in the United States.
This says Sherrod DeGrippo, director of Threat Intelligence Strategy at Microsoft.
Speak with The Register Recently, DeGrippo said the group is exploiting software vulnerabilities and engaging in spearphishing attacks to gain access to people’s devices.
Commodity malware
Once they gain access, they deploy various Remote Access Trojans (RAT) and other malware to obtain login credentials for services like Microsoft 365. They also steal sensitive documents and anything else they can get their hands on. The aim of the campaign is cyber espionage.
What’s interesting about Storm-0227 is that it uses off-the-shelf malware, which would have been quite a shock a few years ago: “Even national threat actors…are pulling commodity malware from that trading ecosystem and using it for remote access,” shared they the publication. Half a decade ago, “it was quite shocking to see a nation-sponsored, espionage-oriented group of threat actors actually using off-the-shelf malware,” she added. see it very often.”
There was no word on the number of victims, but DeGrippo described the group as an “embodiment of perseverance.”
“China continues to focus on these types of goals,” she said. “They pull out files that have espionage value, communications that have contextual espionage value to those files, and look at American interests.”
Storm-0227 appears to overlap, at least partially, with Silk Typhoon, it further said. There’s a whole list of “typhoon” threat actors, all on the Chinese government payroll, and all apparently tasked with spying on Western governments, critical infrastructure companies, and other areas of interest (military, space, and the like).
That includes Volt Typhoon, Salt Typhoon, Flax Typhoon and Brass Typhoon. Salt Typhoon was recently linked to a number of high-profile breaches, including at least four major US telecom operators.
Via The Register