Search Again

Storm-2372

Rank: 2
Get Free Access to Insights

Summary of Actor: Storm-2372 is a newly designated threat actor attributed to Russia-aligned cyber operations, first observed in August 2024. The group is known for its highly targeted credential harvesting campaigns and use of device code phishing, particularly aimed at entities within critical infrastructure, government, defense, and technology sectors.

Storm-2372 exhibits operational patterns that align with Russian strategic interests and has been actively involved in espionage-focused attacks leveraging social engineering and third-party communication platforms.

General Features: 
  • Nation-State Backing: Assessed to be linked to Russian intelligence or military objectives, based on targeting, tactics, and geopolitical alignment.
  • Advanced Tactics: Leverages device code phishing, OAuth abuse via Microsoft Graph API, and trusted third-party messaging apps (e.g., WhatsApp, Signal, Microsoft Teams).
  • Diverse Targeting: Targets include governments, NGOs, IT services, defense contractors, energy providers, higher education, and healthcare organizations.
  • Evasion Capabilities: Uses legitimate communication channels, decoy meeting invites, and API-based email extraction to avoid detection and gain persistent access.
Related Other Groups:

APT28 (Fancy Bear),APT29 (Cozy Bear)

Indicators of Attack (IoA):
  • Device Code Phishing
  • Third-Party Messaging Abuse
  • Email Collection via Microsoft Graph API
Recent Activities and Trends:
  • Phishing Campaign Surge (Q3 2024): Highly targeted phishing campaigns against NATO-aligned government entities and critical infrastructure operators.
  • Hybrid Communications Exploits: Increasing use of trusted chat platforms to socially engineer victims and bypass traditional email defenses.
Emerging Trends:
  • OAuth Exploitation for Persistence
  • Tailored Social Engineering
  • Target Expansion



...

Also Known As:

Storm 2372

Target Countries

France

Latvia

Ukraine

Canada

United Kingdom

+6

Target Sectors

Energy & Utilities

Information Services

Educational Services

HealthCare & Social Assistance

Public Administration

+2

ATT&CK IDs:

T1071.001 - Application Layer Protocol Web Protocols

T1078 - Valid Accounts

T1566.002 - Phishing Spearphishing Link

T1528 - Steal Application Access Token

T1114.002 - Email Collection Remote Email Collection

Tactic Id Technique
Collection T1114 Email Collection

Sub Techniques

Detections

Mitigations

Command And Control T1071 Application Layer Protocol

Sub Techniques

Detections

Mitigations

Credential Access T1528 Steal Application Access Token

Sub Techniques

Detections

Mitigations

Defense Evasion T1078 Valid Accounts

Sub Techniques

Detections

Mitigations

Initial Access T1078 Valid Accounts

Sub Techniques

Detections

Mitigations

Initial Access T1566 Phishing

Sub Techniques

Detections

Mitigations

Persistence T1078 Valid Accounts

Sub Techniques

Detections

Mitigations

Privilege Escalation T1078 Valid Accounts

Sub Techniques

Detections

Mitigations