Storm-0558 is a threat actor or cyber-espionage group associated with cyber-attacks. The group is known for conducting sophisticated and targeted campaigns focusing on espionage, data theft, and credential access.Â
The name “Storm-0558” is a designation given by cybersecurity researchers and experts to identify and track the activities of this specific threat actor.
In this comprehensive article, we will explore the Storm-0558 extortion group techniques, how the attack happens, and what to do if Storm-0558 compromises your systems or machines. Also, see how you can protect your business’s sensitive and critical data by taking simple preventive actions.
Storm-0558 attacks overview
Storm-0558 represents a persistent and technically adept threat actor engaged in state-sponsored cyber espionage, widely attributed to the Chinese government. The group targets US and European diplomatic, economic, and legislative bodies.
 It has been observed that forged authentication tokens are used to access user emails from approximately 25 organizations, including government agencies and related consumer accounts, in the public cloud.Â
The Cyber Safety Review Board’s (CSRB) report’s assessment of Microsoft’s security culture underscores the need for organizations to prioritize robust security measures and proactive risk management strategies. Furthermore, the CSRB’s recommendations serve as a wake-up call for cloud service providers and government agencies to enhance collaboration and implement comprehensive security protocols to mitigate the risk of future cyber-attacks.
In response to the CSRB’s findings, Microsoft has signaled a commitment to adopting a new culture of engineering security within its own networks. While the company’s response acknowledges the need for reform, the extent to which Microsoft will prioritize substantive security improvements remains to be seen.
How to identify Storm-0558Â
Indicators of compromise (IOCs) are pieces of forensic data that can help identify malicious activity or malware associated with a cyber attack. It includes the encryption extension, file hashes, and IP addresses, among other details cyber criminals leave as they infect a machine or system.Â
However, if you can’t identify the threat strain through its IOCs, you can use Proven Data’s free ransomware ID tool to check if Storm-0558 is the cyber threat encrypting your files.
Important: Some of these indicators require technical knowledge of the infected system, so you may need to contact your IT team or a digital forensics service provider.
Storm-0558 tactics, techniques, and procedures (TTP)
Storm-0558 initiated its attack by obtaining an inactive Microsoft account (MSA) consumer signing key. This key, designed for consumer accounts, contained a validation error that the threat actor exploited for unauthorized Azure AD enterprise authentication. The exploitation of this flaw allowed Storm-0558 to forge authentication tokens, enabling the impersonation of Azure AD users.
Storm-0558 gained unauthorized access to enterprise mail systems with forged authentication tokens, including Outlook Web Access (OWA) and Outlook.com.Â
Using a seemingly legitimate client flow, Storm-0558 leveraged the forged tokens to gain access to the Outlook Web Access (OWA) API. Through this access, the threat actor retrieved legitimate access tokens for Exchange Online using the GetAccessTokenForResource API. Taking advantage of a design flaw in the API, Storm-0558 could obtain new access tokens by presenting previously issued ones.
Additionally, Storm-0558 employed a combination of PowerShell and Python scripts to perform REST API calls against the OWA Exchange Store service. These scripts facilitated the downloading various email components, including emails, attachments, conversations, and information about email folders.
Following the initial compromise, Storm-0558’s post-compromise activities were narrowly focused on email access and exfiltration. Rather than engaging in widespread disruption or manipulation, the threat actor targeted and extracted information from compromised email accounts.
Recent criticism of Microsoft’s security practices has highlighted the company’s response strategies and internal handling of security incidents. Despite mounting pressure, Microsoft has been accused of deflecting criticism and failing to address underlying architectural issues within its security infrastructure.
Threat actor infrastructure
Storm-0558 utilized dedicated infrastructure running the SoftEther proxy software. This strategic choice complicated detection and attribution, making it challenging to trace the actor’s activities back to their origin.
The threat actor further employed a series of dedicated infrastructure servers specifically for token replay and interaction with Microsoft services. These servers offered a more efficient means for Storm-0558 to carry out malicious activities, including managing a web panel for authentication.
STORM-0558 objectives
Storm-0558’s modus operandi reflects a sophisticated approach to cyber-espionage, characterized by the meticulous planning and execution of targeted attacks.Â
The group’s tactics often involve exploiting vulnerabilities in software systems and leveraging social engineering techniques to gain unauthorized access to sensitive data.
How to handle a Storm-0558 attack
It is important to note that handling a cyber attack can be complex and require expertise. Therefore, it is recommended that you seek professional help from a reputable data recovery service, such as Proven Data, to recover your data and remove the ransomware from your system.
You can also report the attack to law enforcement agencies, such as the FBI and cybersecurity organizations, to help prevent future attacks and catch the perpetrators.
Proven Data technicians not only retrieve ransomware-encrypted data but also create forensic reports and streamline incident response, minimizing your business downtime and financial loss.
Important: Do not pay the ransom! There’s no guarantee you’ll regain access to your data, and paying only funds these criminals enables them to target others. Learn more about the risks of paying ransoms in our in-depth article.
How to prevent cyber attacks
Preventing Storm-0558 attacks is always the best cybersecurity tactic.
Follow these tips to avoid a new cyber attack:
Keep your software up to date
Update your operating system and programs regularly to uphold security standards. Reputable OS providers consistently check their software for vulnerabilities and patch up their security standards to protect against newly detected threats.
Use reputable antivirus software
Employ reputable antivirus software to bolster protection against malware significantly, and regularly check that it is updated. You can also check your network for vulnerabilities and learn where you need to improve your security system.
Be cautious of suspicious emails
Even though there are no known cases of Storm-0558 using phishing as an attack method, it’s essential to exercise caution when dealing with emails from unfamiliar or dubious origins. Refrain from opening files or clicking on links within emails that you are not expecting or seem suspicious.
Do not download cracked software
Cracked software is the term used to describe illicitly modified or pirated versions of commercial software, typically distributed without proper authorization or licensing. Cybercriminals frequently conceal their executables within cracked software distribution websites, leading users to download and execute the malware unwittingly.
Backup your data
To prevent complete data loss in a cyber attack, regularly back up your data to an external hard drive or cloud storage service. The 3-2-1 backup strategy is highly recommended for data loss prevention.
The 3-2-1 backup strategy involves creating three copies of your data: two on different media and one offsite, ensuring redundancy and protection against data loss. And at least one copy offsite to prevent loss due to natural disasters or other local incidents.
Educate yourself and your teams
Educate yourself and your employees about the risks of cyberattacks and how to avoid them, such as avoiding suspicious emails or downloads.
Consult cybersecurity professionals
Proven Data offers cyber security services to help you keep your data protected against threat actors. From vulnerability assessment to ensure your systems and servers do not have open doors for cyber attacks to Incident Response (IR) services for immediate response in case of a successful attack.
We also have the option of managed detection and response (MDR) services that help organizations improve their security posture, minimize risk, and protect sensitive data and assets.