
Storm-2372: Russian APT Exploits Device Code Phishing in Sophisticated Attacks
Indicators of Compromise
APT Groups1
<b>Summary of Actor: </b>Storm-2372 is a newly designated threat actor attributed to Russia-aligned cyber operations, first observed in August 2024. The group is known for its highly targeted credential harvesting campaigns and use of device code phishing, particularly aimed at entities within critical infrastructure, government, defense, and technology sectors.<div>Storm-2372 exhibits operational patterns that align with Russian strategic interests and has been actively involved in espionage-focused attacks leveraging social engineering and third-party communication platforms.<br><br><div><b>General Features: </b><br><div><ul><li><b>Nation-State Backing:</b> Assessed to be linked to Russian intelligence or military objectives, based on targeting, tactics, and geopolitical alignment.</li><li><b>Advanced Tactics:</b> Leverages device code phishing, OAuth abuse via Microsoft Graph API, and trusted third-party messaging apps (e.g., WhatsApp, Signal, Microsoft Teams).</li><li><b>Diverse Targeting:</b> Targets include governments, NGOs, IT services, defense contractors, energy providers, higher education, and healthcare organizations.</li><li><b>Evasion Capabilities: </b>Uses legitimate communication channels, decoy meeting invites, and API-based email extraction to avoid detection and gain persistent access.<br></li></ul><div><div><b>Related Other Groups:<br><br></b></div><div>APT28 (Fancy Bear),APT29 (Cozy Bear)</div></div></div></div></div><div><br></div><div><div><b>Indicators of Attack (IoA):</b></div><div><ul><li>Device Code Phishing</li><li>Third-Party Messaging Abuse</li><li>Email Collection via Microsoft Graph API<br></li></ul><div><div><b>Recent Activities and Trends:</b></div><div><ul><li>Phishing Campaign Surge (Q3 2024): Highly targeted phishing campaigns against NATO-aligned government entities and critical infrastructure operators.</li><li>Hybrid Communications Exploits: Increasing use of trusted chat platforms to socially engineer victims and bypass traditional email defenses.<br></li></ul><div><b>Emerging Trends:</b><br><div style=""><ul><li>OAuth Exploitation for Persistence</li><li>Tailored Social Engineering</li><li>Target Expansion</li></ul></div></div></div><div><b><br></b></div><div><b><br></b></div><div><br></div></div></div></div>
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
REMEDIATION
T1566 - Phishing
ID | Data Source | Data Component | Detects |
Monitor for third-party application logging, messaging, and/or other artifacts that may send phishing messages to gain access to victim systems. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[17][18] URL inspection within email (including expanding shortened links) can help detect links leading to known malicious sites. Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link. Monitor call logs from corporate devices to identify patterns of potential voice phishing, such as calls to/from known malicious phone numbers. Correlate these records with system events. | |||
Monitor for newly constructed files from a phishing messages to gain access to victim systems. | |||
Monitor and analyze SSL/TLS traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[17][18] | |||
Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. |
T1530 - Data from Cloud Storage Object
ID | Data Source | Data Component | Detects |
Monitor M365 Audit logs for TeamsSessionStarted Operations against MicrosoftTeams workloads involving suspicious ClientIPs and suspect accounts (UserId). Analytic 1 - Sessions initiated from unusual IP addresses, high volume of sessions from a single account, sessions at unusual times "`index=""m365_audit_logs"" Operation=""TeamsSessionStarted""| stats count by UserId, ClientIP, CreationTime| where ClientIP!=""expected_ip"" OR UserId!=""expected_user""| sort by CreationTime" | |||
Monitor for unusual queries to the cloud provider's storage service. Activity originating from unexpected sources may indicate improper permissions are set and are allowing access to data. Additionally, detecting failed attempts by a user for a certain object, followed by escalation of privileges by the same user, and access to the same object may be an indication of suspicious activity. |
T1106 - Native API
ID | Data Source | Data Component | Detects |
Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Utilization of the Windows APIs may involve processes loading/accessing system DLLs associated with providing called functions (ex: ntdll.dll, kernel32.dll, advapi32.dll, user32.dll, and gdi32.dll). Monitoring for DLL loads, especially to abnormal/unusual or potentially malicious processes, may indicate abuse of the Windows API. Though noisy, this data can be combined with other indicators to identify adversary activity. Analytic 1 - Look for unusual or abnormal DLL loads, processes loading DLLs not typically associated with them sourcetype=Sysmon EventCode=7| stats count by module_name process_name user| where module_name IN ("ntdll.dll", "kernel32.dll", "advapi32.dll", "user32.dll", "gdi32.dll") | |||
Monitoring API calls may generate a significant amount of data and may not be useful for defense unless collected under specific circumstances, since benign use of API functions are common and may be difficult to distinguish from malicious behavior. Correlation of other events with behavior surrounding API function calls using API monitoring will provide additional context to an event that may assist in determining if it is due to malicious behavior. Correlation of activity by process lineage by process ID may be sufficient. |
T1553 - Subvert Trust Controls
ID | Data Source | Data Component | Detects |
Command monitoring may reveal malicious attempts to modify trust settings, such as the installation of root certificates or modifications to trust attributes/policies applied to files. | |||
Collect and analyze signing certificate metadata on software that executes within the environment to look for unusual certificate characteristics and outliers. | |||
Periodically baseline registered SIPs and trust providers (Registry entries and files on disk), specifically looking for new, modified, or non-Microsoft entries.[1] Also analyze Autoruns data for oddities and anomalies, specifically malicious files attempting persistent execution by hiding within auto-starting locations. Autoruns will hide entries signed by Microsoft or Windows by default, so ensure "Hide Microsoft Entries" and "Hide Windows Entries" are both deselected.[1] On macOS, the removal of the com.apple.quarantine flag by a user instead of the operating system is a suspicious action and should be examined further. Also monitor software update frameworks that may strip this flag when performing updates. | |||
Enable CryptoAPI v2 (CAPI) event logging [7] to monitor and analyze error events related to failed trust validation (Event ID 81, though this event can be subverted by hijacked trust provider components) as well as any other provided information events (ex: successful validations). Code Integrity event logging may also provide valuable indicators of malicious SIP or trust provider loads, since protected processes that attempt to load a maliciously-crafted trust validation component will likely fail (Event ID 3033). [1] | |||
Monitor processes and arguments for malicious attempts to modify trust settings, such as the installation of root certificates or modifications to trust attributes/policies applied to files. | |||
Monitoring the creation of (sub)keys within the Windows Registry may reveal malicious attempts to modify trust settings, such as the installation of root certificates. Installed root certificates are located in the Registry under HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\ and [HKLM or HKCU]\Software[\Policies]\Microsoft\SystemCertificates\Root\Certificates\. There are a subset of root certificates that are consistent across Windows systems and can be used for comparison: [8]* 18F7C1FCC3090203FD5BAA2F861A754976C8DD25* 245C97DF7514E7CF2DF8BE72AE957B9E04741E85* 3B1EFD3A66EA28B16697394703A72CA340A05BD5* 7F88CD7223F3C813818C994614A89C99FA3B5247* 8F43288AD272F3103B6FB1428485EA3014C0BCFE* A43489159A520F0D93D032CCAF37E7FE20A8B419* BE36A4562FB2EE05DBB3D32323ADF445084ED656* CDD4EEAE6000AC7F40C3802C171E30148030C072 | |||
Monitoring changes to the Windows Registry may reveal malicious attempts to modify trust settings, such as the installation of root certificates. Installed root certificates are located in the Registry under HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\ and [HKLM or HKCU]\Software[\Policies]\Microsoft\SystemCertificates\Root\Certificates\. There are a subset of root certificates that are consistent across Windows systems and can be used for comparison: [8] Also consider enabling the Registry Global Object Access Auditing [9] setting in the Advanced Security Audit policy to apply a global system access control list (SACL) and event auditing on modifications to Registry values (sub)keys related to SIPs and trust providers:[10] |
T1134 - Access Token Manipulation
ID | Data Source | Data Component | Detects |
Monitor for changes made to AD settings that may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. | |||
Monitor executed commands and arguments for token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command. Detailed command-line logging is not enabled by default in Windows.[29] | |||
Monitor for API calls, loaded by a payload, for token manipulation only through careful analysis of user network activity, examination of running processes, and correlation with other endpoint and network behavior. There are many Windows API calls a payload can take advantage of to manipulate access tokens (e.g., LogonUser [30], DuplicateTokenEx[31], and ImpersonateLoggedOnUser[32]). Please see the referenced Windows API pages for more information. | |||
Monitor for executed processes that may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. | |||
Query systems for process and thread token information and look for inconsistencies such as user owns processes impersonating the local SYSTEM account.[33] Look for inconsistencies between the various fields that store PPID information, such as the EventHeader ProcessId from data collected via Event Tracing for Windows (ETW), Creator Process ID/Name from Windows event logs, and the ProcessID and ParentProcessID (which are also produced from ETW and other utilities such as Task Manager and Process Explorer). The ETW provided EventHeader ProcessId identifies the actual parent process. | |||
Monitor for contextual data about an account, which may include a username, user ID, environmental data, etc. that may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. |