Storm-0558

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
Storm-0558, a threat actor believed to be operating on behalf of the Chinese government, has been identified by Microsoft as the group responsible for a significant breach involving customer email accounts. The attack was initiated through Outlook Web Access in Exchange Online and Outlook.com, with the attackers leveraging forged authentication tokens to gain access. The investigation into this malicious activity began on June 16 after Microsoft received reports of unusual mail activity. This China-based threat actor is known for its sophisticated methods, including the use of custom malware like Cigril and Bling for espionage purposes. The impact of Storm-0558's activities is far-reaching, affecting approximately 25 organizations, which include U.S. defense industrial base entities (Circle Typhoon / DEV-0322, Mulberry Typhoon / Manganese, and Volt Typhoon / DEV-0391), U.S. critical infrastructure, and government bodies in Europe, the U.S., and Taiwan (Charcoal Typhoon / Chromium and Flax Typhoon / Storm-0919). In one notable incident, the group reportedly accessed the email account of the United States ambassador to China, compromising hundreds of thousands of individual U.S. government emails. In September, Microsoft revealed that Storm-0558 had stolen around 60,000 emails and found additional vulnerabilities that allowed the group to compromise the cloud accounts of U.S. officials. This persistent threat from Storm-0558 underscores the need for robust cybersecurity measures, particularly for high-value targets such as government agencies and critical infrastructure. With state-sponsored actors like Storm-0558 posing significant threats, organizations must remain vigilant and proactive in their cybersecurity efforts.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Volt Typhoon
1
Volt Typhoon is a sophisticated threat actor, linked to China, that has managed to infiltrate and remain undetected within US infrastructure for several years. The group exhibits strong operational security and uses advanced techniques such as obfuscation of their malware to avoid detection. These t
Mulberry Typhoon / Manganese
1
None
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Espionage
State Sponso...
Outlook
Malware
Chromium
Microsoft
Government
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Charcoal TyphoonUnspecified
1
Charcoal Typhoon, a China-affiliated threat actor, has been identified as one of the state-backed groups using OpenAI's ChatGPT for malicious purposes. The group is known for focusing on tracking groups in Taiwan, Thailand, Mongolia, Malaysia, France, Nepal, and individuals globally that oppose Chin
Flax TyphoonUnspecified
1
Flax Typhoon, also known as RedJuliett and Ethereal Panda in different cybersecurity circles, is a threat actor linked to China that has been actively targeting Taiwan. The group's activities have been closely monitored by several cybersecurity firms, including Microsoft and CrowdStrike. The use of
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Storm-0558 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
7 months ago
10 Most Notable Cyber Attacks of 2023 | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
a year ago
CISA anticipates ‘highly positive’ announcement on logging availability after latest Outlook breaches | Federal News Network
CERT-EU
10 months ago
Chinese Redfly Group Compromised a Nation's Critical Grid in 6-Month ShadowPad Campaign
CERT-EU
a year ago
Microsoft cloud breach findings raise "many more questions": security vendor
Checkpoint
a year ago
24th July – Threat Intelligence Report - Check Point Research
CERT-EU
a year ago
How the Microsoft cloud email breach happened
CERT-EU
a year ago
Chinese Group Storm-0558 Hacked European Govt Emails, Microsoft