Unmasking Storm-0978: A Deep Dive into Financial and Espionage Attacks


Published on Jul 11, 2023   —   4 min read

Storm-0978: A Confluence of Cybercrime and Espionage

In a recent revelation by Microsoft's Threat Intelligence team, a sophisticated phishing campaign has been traced back to a notorious cybercriminal group known as Storm-0978. Originating from Russia, this group has been actively targeting defense and government entities across Europe and North America, demonstrating their global reach and potential threat to international security.

Their primary method of attack involves exploiting a zero-day remote code execution vulnerability, specifically CVE-2023-36884. This vulnerability is exploited through Microsoft Word documents, indicating a high level of sophistication and knowledge of software vulnerabilities. By leveraging this vulnerability, Storm-0978 has been able to infiltrate systems undetected, posing a significant threat to the targeted organizations.

The identification of this campaign underscores the importance of robust cybersecurity measures and the need for continuous vigilance in the face of evolving cyber threats. It also highlights the critical role of threat intelligence in identifying and mitigating such sophisticated attacks. By staying ahead of the curve, organizations can better protect themselves and their stakeholders from the damaging effects of such cyber-attacks.

The Threat Actor: Storm-0978

Storm-0978, alternatively known as RomCom, is a cybercriminal group that has gained notoriety for its diverse range of cyber operations. This group, with its roots in Russia, is infamous for conducting ransomware attacks and extortion-only operations. However, what sets them apart is their targeted credential-gathering campaigns, which are believed to be in support of larger intelligence operations.

The group has developed and distributed a malicious software known as the RomCom backdoor. This backdoor allows them to gain unauthorized access to systems, providing them with a stealthy foothold within the targeted organizations. In addition to RomCom, Storm-0978 is also responsible for deploying the Underground ransomware. This particular strain of ransomware is closely related to the Industrial Spy ransomware, which was first observed in the wild in May 2022.

The activities of Storm-0978 underscore the evolving nature of cyber threats, where actors are blending traditional financial motives with strategic espionage objectives. Understanding the tactics, techniques, and procedures (TTPs) of groups like Storm-0978 is crucial for organizations to effectively defend their digital assets and maintain their operational integrity.

Targets and Tactics

Storm-0978 has a distinct approach to selecting its targets and executing its attacks. The group primarily targets organizations by using trojanized versions of popular legitimate software. This tactic involves disguising the RomCom backdoor as legitimate software, which, when installed, gives the group unauthorized access to the system.

The operations of Storm-0978 have had a significant impact on government and military organizations in Ukraine. Furthermore, organizations in Europe and North America that are potentially involved in Ukrainian affairs have also been targeted. This suggests a strategic focus on entities connected to geopolitical issues, highlighting the group's espionage motives.

In addition to these targeted operations, Storm-0978 has also conducted ransomware attacks that have notably affected the telecommunications and finance industries. These industries are critical to the functioning of modern societies and economies, and their disruption can have far-reaching consequences.

Understanding the targets and tactics of groups like Storm-0978 is crucial for organizations to develop effective cybersecurity strategies. By staying informed about the evolving threat landscape, organizations can better protect themselves against such sophisticated cyber threats.

Tools and Techniques

Storm-0978 employs a range of tools and techniques to carry out its cyber operations. One of their primary methods involves the use of trojanized versions of popular, legitimate software. By disguising their malicious RomCom backdoor as legitimate software, they are able to trick users into installing it, thereby gaining unauthorized access to their systems.

To further their deceptive tactics, Storm-0978 hosts these trojanized installers on malicious domains that mimic the legitimate software. This adds an additional layer of deceit, making it even more challenging for users to identify the threat.

In addition to their targeted operations, Storm-0978 also conducts financially motivated attacks involving ransomware. For these attacks, they use the Industrial Spy ransomware and the Underground ransomware. These strains of ransomware encrypt the victim's files and demand a ransom for their release, causing significant disruption and financial loss.

Understanding the tools and techniques used by groups like Storm-0978 is crucial for organizations to effectively defend against these threats. By staying informed about the latest cyber threats and implementing robust cybersecurity measures, organizations can better protect their digital assets and maintain their operational integrity.

Mitigation Recommendations

In the face of threats posed by groups like Storm-0978, Microsoft has put forth several mitigation recommendations to enhance cybersecurity defenses. These recommendations aim to provide robust protection against the sophisticated tactics employed by such cybercriminal groups.

Firstly, Microsoft recommends activating cloud-delivered protection in Microsoft Defender Antivirus or the equivalent in your antivirus product. This feature allows for rapid updates and responses to new and evolving threats, providing a crucial line of defense against cyber attacks.

In addition, running Endpoint Detection and Response (EDR) in block mode is advised. This allows Microsoft Defender for Endpoint to take immediate action on alerts, effectively resolving breaches and minimizing potential damage.

Lastly, Microsoft Defender for Office 365 offers enhanced phishing protection and coverage against new threats and polymorphic variants. This provides a comprehensive defense against phishing attacks, which are often the first step in a broader cyber attack.


The activities of the Storm-0978 group serve as a stark reminder of the ever-evolving cyber threat landscape. Today's cybercriminals are not just motivated by financial gains; they are increasingly blending their financial motives with strategic espionage objectives. This blend of motives adds a new dimension to the threats posed by these groups, making them more unpredictable and potentially more damaging.

In light of these developments, it is imperative for organizations to stay vigilant. They must continually assess and enhance their cybersecurity measures to effectively mitigate these threats. This includes adopting robust security solutions, staying informed about the latest threat intelligence, and fostering a culture of cybersecurity awareness within the organization.

By doing so, organizations can navigate this evolving threat landscape and ensure the security and integrity of their digital assets. In the face of groups like Storm-0978, vigilance, preparedness, and resilience are key to maintaining a robust defense against cyber threats.

Share on Facebook Share on Linkedin Share on Twitter Send by email

Subscribe to the newsletter

Subscribe to the newsletter for the latest news and work updates straight to your inbox, every week.