Campaigns
Storm-2372: Russian APT Exploits Device Code Phishing in Sophisticated Attacks

Storm-2372: Russian APT Exploits Device Code Phishing in Sophisticated Attacks

Threat Actor: Storm-2372Device Code Phishing CampaignCloud Security Threat
A newly identified cyber threat campaign by Russian state-sponsored group Storm-2372 leverages device code phishing to bypass multi-factor authentication (MFA) and gain unauthorized access to high-value targets.

Indicators of Compromise

www.blackhillsinfosec.com

APT Groups1

Storm-2372Russian Federation

<b>Summary of Actor: </b>Storm-2372 is a newly designated threat actor attributed to Russia-aligned cyber operations, first observed in August 2024. The group is known for its highly targeted credential harvesting campaigns and use of device code phishing, particularly aimed at entities within critical infrastructure, government, defense, and technology sectors.<div>Storm-2372 exhibits operational patterns that align with Russian strategic interests and has been actively involved in espionage-focused attacks leveraging social engineering and third-party communication platforms.<br><br><div><b>General Features: </b><br><div><ul><li><b>Nation-State Backing:</b> Assessed to be linked to Russian intelligence or military objectives, based on targeting, tactics, and geopolitical alignment.</li><li><b>Advanced Tactics:</b> Leverages device code phishing, OAuth abuse via Microsoft Graph API, and trusted third-party messaging apps (e.g., WhatsApp, Signal, Microsoft Teams).</li><li><b>Diverse Targeting:</b> Targets include governments, NGOs, IT services, defense contractors, energy providers, higher education, and healthcare organizations.</li><li><b>Evasion Capabilities: </b>Uses legitimate communication channels, decoy meeting invites, and API-based email extraction to avoid detection and gain persistent access.<br></li></ul><div><div><b>Related Other Groups:<br><br></b></div><div>APT28 (Fancy Bear),APT29 (Cozy Bear)</div></div></div></div></div><div><br></div><div><div><b>Indicators of Attack (IoA):</b></div><div><ul><li>Device Code Phishing</li><li>Third-Party Messaging Abuse</li><li>Email Collection via Microsoft Graph API<br></li></ul><div><div><b>Recent Activities and Trends:</b></div><div><ul><li>Phishing Campaign Surge (Q3 2024): Highly targeted phishing campaigns against NATO-aligned government entities and critical infrastructure operators.</li><li>Hybrid Communications Exploits: Increasing use of trusted chat platforms to socially engineer victims and bypass traditional email defenses.<br></li></ul><div><b>Emerging Trends:</b><br><div style=""><ul><li>OAuth Exploitation for Persistence</li><li>Tailored Social Engineering</li><li>Target Expansion</li></ul></div></div></div><div><b><br></b></div><div><b><br></b></div><div><br></div></div></div></div>

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION


T1566 - Phishing


ID

Data Source

Data Component

Detects

DS0015

Application Log

Application Log Content

Monitor for third-party application logging, messaging, and/or other artifacts that may send phishing messages to gain access to victim systems. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[17][18] URL inspection within email (including expanding shortened links) can help detect links leading to known malicious sites. Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link.

Monitor call logs from corporate devices to identify patterns of potential voice phishing, such as calls to/from known malicious phone numbers. Correlate these records with system events.

DS0022

File

File Creation

Monitor for newly constructed files from a phishing messages to gain access to victim systems.

DS0029

Network Traffic

Network Traffic Content

Monitor and analyze SSL/TLS traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[17][18]



Network Traffic Flow

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.



T1530 - Data from Cloud Storage Object


ID

Data Source

Data Component

Detects

DS0025

Cloud Service

Cloud Service Metadata

Monitor M365 Audit logs for TeamsSessionStarted Operations against MicrosoftTeams workloads involving suspicious ClientIPs and suspect accounts (UserId).

Analytic 1 - Sessions initiated from unusual IP addresses, high volume of sessions from a single account, sessions at unusual times

"`index=""m365_audit_logs"" Operation=""TeamsSessionStarted""| stats count by UserId, ClientIP, CreationTime| where ClientIP!=""expected_ip"" OR UserId!=""expected_user""| sort by CreationTime"

DS0010

Cloud Storage

Cloud Storage Access

Monitor for unusual queries to the cloud provider's storage service. Activity originating from unexpected sources may indicate improper permissions are set and are allowing access to data. Additionally, detecting failed attempts by a user for a certain object, followed by escalation of privileges by the same user, and access to the same object may be an indication of suspicious activity.


T1106 - Native API


ID

Data Source

Data Component

Detects

DS0011

Module

Module Load

Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Utilization of the Windows APIs may involve processes loading/accessing system DLLs associated with providing called functions (ex: ntdll.dll, kernel32.dll, advapi32.dll, user32.dll, and gdi32.dll). Monitoring for DLL loads, especially to abnormal/unusual or potentially malicious processes, may indicate abuse of the Windows API. Though noisy, this data can be combined with other indicators to identify adversary activity.

Analytic 1 - Look for unusual or abnormal DLL loads, processes loading DLLs not typically associated with them

sourcetype=Sysmon EventCode=7| stats count by module_name process_name user| where module_name IN ("ntdll.dll", "kernel32.dll", "advapi32.dll", "user32.dll", "gdi32.dll")

DS0009

Process

OS API Execution

Monitoring API calls may generate a significant amount of data and may not be useful for defense unless collected under specific circumstances, since benign use of API functions are common and may be difficult to distinguish from malicious behavior. Correlation of other events with behavior surrounding API function calls using API monitoring will provide additional context to an event that may assist in determining if it is due to malicious behavior. Correlation of activity by process lineage by process ID may be sufficient.


T1553 - Subvert Trust Controls


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Command monitoring may reveal malicious attempts to modify trust settings, such as the installation of root certificates or modifications to trust attributes/policies applied to files.

DS0022

File

File Metadata

Collect and analyze signing certificate metadata on software that executes within the environment to look for unusual certificate characteristics and outliers.



File Modification

Periodically baseline registered SIPs and trust providers (Registry entries and files on disk), specifically looking for new, modified, or non-Microsoft entries.[1] Also analyze Autoruns data for oddities and anomalies, specifically malicious files attempting persistent execution by hiding within auto-starting locations. Autoruns will hide entries signed by Microsoft or Windows by default, so ensure "Hide Microsoft Entries" and "Hide Windows Entries" are both deselected.[1]

On macOS, the removal of the com.apple.quarantine flag by a user instead of the operating system is a suspicious action and should be examined further. Also monitor software update frameworks that may strip this flag when performing updates.

DS0011

Module

Module Load

Enable CryptoAPI v2 (CAPI) event logging [7] to monitor and analyze error events related to failed trust validation (Event ID 81, though this event can be subverted by hijacked trust provider components) as well as any other provided information events (ex: successful validations). Code Integrity event logging may also provide valuable indicators of malicious SIP or trust provider loads, since protected processes that attempt to load a maliciously-crafted trust validation component will likely fail (Event ID 3033). [1]

DS0009

Process

Process Creation

Monitor processes and arguments for malicious attempts to modify trust settings, such as the installation of root certificates or modifications to trust attributes/policies applied to files.

DS0024

Windows Registry

Windows Registry Key Creation

Monitoring the creation of (sub)keys within the Windows Registry may reveal malicious attempts to modify trust settings, such as the installation of root certificates. Installed root certificates are located in the Registry under HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\ and [HKLM or HKCU]\Software[\Policies]\Microsoft\SystemCertificates\Root\Certificates\. There are a subset of root certificates that are consistent across Windows systems and can be used for comparison: [8]* 18F7C1FCC3090203FD5BAA2F861A754976C8DD25* 245C97DF7514E7CF2DF8BE72AE957B9E04741E85* 3B1EFD3A66EA28B16697394703A72CA340A05BD5* 7F88CD7223F3C813818C994614A89C99FA3B5247* 8F43288AD272F3103B6FB1428485EA3014C0BCFE* A43489159A520F0D93D032CCAF37E7FE20A8B419* BE36A4562FB2EE05DBB3D32323ADF445084ED656* CDD4EEAE6000AC7F40C3802C171E30148030C072



Windows Registry Key Modification

Monitoring changes to the Windows Registry may reveal malicious attempts to modify trust settings, such as the installation of root certificates. Installed root certificates are located in the Registry under HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\ and [HKLM or HKCU]\Software[\Policies]\Microsoft\SystemCertificates\Root\Certificates\. There are a subset of root certificates that are consistent across Windows systems and can be used for comparison: [8] Also consider enabling the Registry Global Object Access Auditing [9] setting in the Advanced Security Audit policy to apply a global system access control list (SACL) and event auditing on modifications to Registry values (sub)keys related to SIPs and trust providers:[10]


T1134 - Access Token Manipulation


ID

Data Source

Data Component

Detects

DS0026

Active Directory

Active Directory Object Modification

Monitor for changes made to AD settings that may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls.

DS0017

Command

Command Execution

Monitor executed commands and arguments for token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command. Detailed command-line logging is not enabled by default in Windows.[29]

DS0009

Process

OS API Execution

Monitor for API calls, loaded by a payload, for token manipulation only through careful analysis of user network activity, examination of running processes, and correlation with other endpoint and network behavior. There are many Windows API calls a payload can take advantage of to manipulate access tokens (e.g., LogonUser [30], DuplicateTokenEx[31], and ImpersonateLoggedOnUser[32]). Please see the referenced Windows API pages for more information.



Process Creation

Monitor for executed processes that may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls.



Process Metadata

Query systems for process and thread token information and look for inconsistencies such as user owns processes impersonating the local SYSTEM account.[33] Look for inconsistencies between the various fields that store PPID information, such as the EventHeader ProcessId from data collected via Event Tracing for Windows (ETW), Creator Process ID/Name from Windows event logs, and the ProcessID and ParentProcessID (which are also produced from ETW and other utilities such as Task Manager and Process Explorer). The ETW provided EventHeader ProcessId identifies the actual parent process.

DS0002

User Account

User Account Metadata

Monitor for contextual data about an account, which may include a username, user ID, environmental data, etc. that may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls.

Observed Countries31

AU (66)
BE (818)
BG (357)
CA (556)
CY (652)
CZ (474)
DE (390)
DK (316)
EE (67)
ES (733)
FI (627)
FR (779)
GB (998)
GR (805)
HR (918)
HU (135)
IE (793)
IT (718)
LT (734)
LU (873)
LV (682)
MT (976)
NL (462)
PL (500)
PT (754)
RO (747)
SE (471)
SI (384)
SK (370)
UA (602)
US (98)