Storm-0558

Storm-0558 is an intrusion set tracked by researchers at Microsoft and attributed as a China based threat actor. In May 2023, the group was able to forge Microsoft authentication tokens which it used to access user email from multiple customer organizations, including government agencies.

Microsoft have identified limited overlap with other groups (including APT31 / Violet Typhoon) and have observed the group previously targeting US and European government bodies and individuals connected to Taiwan and Uyghur geopolitical interests.

According to a report by the US Cyber Safety Review Board, the group has been active since approximately the year 2000. Google's Threat Analysis Group have also linked an entity tied to Storm-0558 to the 2009 compromise of Google known as 'Operation Aurora' as well as the 2011 RSA SecurID breach.

www.wired.com

https://www.wired.com/story/the-full-story-of-the-stunning-rsa-hack-can-finally-be-told/

www.cisa.gov

https://www.cisa.gov/sites/default/files/2024-04/CSRB_Review_of_the_Summer_2023_MEO_Intrusion_Final_508c.pdf

www.microsoft.com

https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/