Microsoft: Another Chinese cyberspy crew targeting US critical orgs 'as of yesterday'

A Chinese government-linked group that Microsoft tracks as Storm-2077 has been actively targeting critical organizations and US government agencies as of yesterday, according to Redmond's threat intel team.

The new-ish crew has been around since at least January, and while Microsoft declined to enumerate Storm-2077's victim count, "there are indicators that this group is active as of yesterday, actively pursuing threat activity," Sherrod DeGrippo, director of threat intelligence strategy, told The Register.

The espionage crew shares some overlap with Silk Typhoon operatives (aka Hafnium), and other illicit activity that other vendors track as TAG-100. Over the last 12 months, the Chinese spies mostly focused on US targets in the defense industrial base, aviation, telecommunications, financial and legal services industries, plus government and non-governmental agencies.

"They're a significant threat, particularly because they really do embody the activity of persistence," DeGrippo said.

Storm-2077 typically gains initial access by exploiting security vulnerabilities in public-facing applications or, since September, with spear phishing emails that contain malicious attachments or links. The goal here is to trick people into opening a document or connecting to a website that downloads SparkRAT, an open-source remote administration tool written in Go that provides persistent access to victims' machines. The crew appears not to use custom malware.

DeGrippo said many actors deploy SparkRAT. “Even national-aligned threat actors … are pulling commodity malware out of that trading ecosystem and using it for remote access," she said.

Even just five years ago, "that was sort of a shocking thing to see a nation-sponsored, espionage-focused threat actor group really leveraging off the shelf malware," DeGrippo added. "Today we see it very frequently."

Once they've broken in, Storm-2077 gets to work stealing credentials to cloud applications including Microsoft 365 and eDiscovery, a tool used by legal professionals to review documents. Abusing legitimate applications helps the intruders to evade detection – they look like just another user, but the gang uses its access to steal email communications and sensitive files.

• T-Mobile US CSO: Spies jumped from one telco to another in a way 'I've not seen in my career'
• China has utterly pwned 'thousands and thousands' of devices at US telcos
• China's Volt Typhoon crew and its botnet surge back with a vengeance
• Chinese cyberspies, Musk's Beijing ties, labelled 'real risk' to US security by senator

DeGrippo said the group uses the data it steals to understand victims’ operations.

"If you have the email communications that go with that file, and reference that file, and talk about what the point of it is, and why they're using it, what it means, and why I'm sending this to you - it gives a richness to the intelligence gathering that the threat actor is doing,” she said.

Storm-2077's victims overlap with some of the sectors hit by other Chinese cyber-spy crews like Salt Typhoon (which has attacked telcos around the world) and Volt Typhoon.

DeGrippo said the threat isn't going away anytime soon.

"China continues to focus on these kinds of targets," she said. "They're pulling out files that are of espionage value, communications that are contextual espionage value to those files, and looking at US interests." ®

Editor's note: This story was amended post-publication as Microsoft mistakenly referred to the threat actor Storm-2077 as Storm-0227. We're happy to now set the record straight with the correct label.