Red Hot Cyber
Cybersecurity is about sharing.
Recognize the risk, combat it, share your experiences,
and encourage others to do better than you.
Menu
Redazione RHC : 24 November 2024 20:14
The Stormous group represents a significant threat in the ransomware landscape: it has an established reputation for its targeted attacks and its overtly pro-Russian ideology. The group may have started operating in mid-2021, later becoming known for its aggressive presence on Telegram, its geopolitical motivations and its philosophy of attacking organisations perceived to be hostile to Russia, to which it declared its support, subsequently targeting the organisations of countries considered to be enemies, destabilising their organisations These include the United States, Western countries, India and Ukraine from 2022. However, their attacks in this way not only compromise the victims’ systems, but also contribute to the spread of Russian propaganda, reinforcing the perception of a cyber war on a global scale.
With affiliates appearing to hail from Russia and the Middle East and a similar business structure, one of Stormous‘ distinguishing features is its preference for stealing and publishing large amounts of data, as well as encrypting victims’ files, often with cryptocurrency-based ransom demands.
The group has targeted critical industries, such as the oil industry, causing considerable disruption and financial losses. A striking example is the September 2023 attack against PVC-MS, a Vietnamese oil equipment assembly company. In this attack, Stormous stole 300 GB of sensitive data, including company documents and information on contract negotiations. The group initially published 10 per cent of this data, using it as a pressure instrument for a possible ransom payment.
Acquista il corso Dark Web & Cyber Threat Intelligence (e-learning version)
Il Dark Web e la Cyber Threat Intelligence rappresentano aree critiche per comprendere le minacce informatiche moderne. Tra ransomware, data breach e attività illecite, le organizzazioni devono affrontare sfide sempre più complesse per proteggere i propri dati e le infrastrutture. Il nostro corso “Dark Web & Cyber Threat Intelligence” ti guiderà attraverso i meccanismi e le strategie utilizzate dai criminali informatici, fornendoti competenze pratiche per monitorare, analizzare e anticipare le minacce.
Accedi alla pagina del corso condotto dall'Prof. Pietro Melillo sulla nostra Academy e segui l'anteprima gratuita.
Per un periodo limitato, potrai utilizzare il COUPON CTI-16253 che ti darà diritto ad uno sconto del 20% sul prezzo di copertina del corso
Per ulteriori informazioni, scrivici ad [email protected] oppure scrivici su Whatsapp al 379 163 8765
Supporta RHC attraverso:
In addition to its traditional attacks, Stormous has focused on high-impact media attacks, often targeting sectors such as the energy sector, exploiting as yet unpatched vulnerabilities in the victims’ computer systems. This tactic allows them to cause significant damage and affect the operational stability of key companies in various industries. We recall the breach of the University of Tor Vergata, Metal Work, and most recently Officine Group. Stormous has also managed to penetrate the defences of international companies such as Coca Cola, but also Comtrade Group in Serbia, Zewail City of Science and Technology in Egypt, Vietnam Electricity and Inwi in Morocco.
Stormous therefore represents one of the most dangerous threats in the context of today’s computer security, which has also claimed several victims in Italy, As we have long maintained, ‘knowing the demons is the first step to fighting them.’ Following this model, RedHotCyber constantly conducts interviews with threat actors to help us understand their TTPs and increase our defences accordingly.
We wanted to interview the Stormous group to better understand their work and to know their motivations.
1 – RHC: Thank you for accepting this interview. The name Stormous evokes the idea of a storm. Does it have a particular meaning or motivation behind this choice? Does it represent something deeper in your work or ideology? Was it a group born spontaneously between friends or colleagues, or was it formed with a specific intent from the beginning?
STORMOUS: The name Stormous is inspired by the concept of a “storm,” symbolizing strength. It can be interpreted in many ways, but its meaning holds greater significance for us than for anyone else. The group was not formed randomly; we established it with a strong infrastructure from the beginning. Although we faced some challenges early on, they are being gradually resolved.
2 – RHC: How are you distributed internationally to date? If possible, how many people gravitate around your RaaS?
STORMOUS: We are expanding thanks to an advanced strategy and products like RaaS. Our operations are distributed in collaboration with partners and other entities, with a medium-sized affiliate base exceeding 50 individuals.
3 – RHC: Many security researchers refer to many of your operations as ‘scavenger operations’, i.e. the publication of already leaked information online. What can you tell us about this?
STORMOUS: We do not publish data leaked by others. The issues we faced before were caused by some affiliates, as there was no oversight initially. This allowed many individuals to post data copied from other sources, which they leaked. It wasn’t our fault but theirs, and they were gradually removed. This is no longer an issue now, as we monitor every target before publishing. Additionally, every operation we announce comes from genuine new breaches carried out by us, which enhances our reputation. For instance, many of our targets (e.g., Transak, Econocom, Duvel, KAI) have confirmed our attacks. We hope this point is emphasized publicly, as we will clarify it soon.
4 – RHC: Have you ever had any friendly or rival relationships with other cybercriminal groups? How would you describe your relationship with other groups active in the ransomware scene?
STORMOUS: We maintain varied relationships with other groups. Sometimes, we collaborate with groups like GhostSec to achieve mutual goals, but we work cautiously since these relationships can be complex. Often, our collaborations involve sharing access between operators or updating RaaS services.
5 – RHC: In an environment like cybercrime, where betrayal is always a risk, how important is trust between members of your group? How do you maintain a strong bond of trust between yourselves?
STORMOUS: Trust is fundamental. We rely on a strict infrastructure in our services where members do not know each other’s identities or operations. However, there is a forum where they can share ideas, assist each other, or even follow up on negotiations among themselves.
6 – RHC: Where do you see yourselves in five or ten years? Do you think you will continue on this path or do you have other personal ambitions or dreams outside of cybercrime?
STORMOUS: In the long term, some of us may move into fields unrelated to hacking. However, for now, the goal is to expand operations and secure our brand.
7 – RHC: Reselling the data of hacked companies is a business that allows you to monetise the non-payment of ransomware ransoms. In your opinion, what are the most valuable and sellable data in the underground today?
STORMOUS: I see healthcare, financial, and personal data as the most in-demand types of information based on what we’ve sold or ransoms successfully negotiated. Clients often look for data that can be directly exploited.
8 – RHC: You took sides politically, at the beginning of the conflict between Russia and Ukraine, in support of the Russian government. Many groups by incorporating politics into their operations have led them to ruin such as the Conti ransomware cartel. Can you comment on this?
STORMOUS: Political decisions support our strategies. Our support for certain entities is a carefully considered decision based on mutual interests to avoid jeopardizing our brand at any moment. I believe Conti didn’t collapse due to political interference but for personal reasons. Our support for it was merely out of respect for the location where their operations were run.
9 – RHC: In your attacks, how often do you use ransomware to encrypt data and how often do you just do data exfiltration?
STORMOUS: We use both methods depending on the target. Encryption is used to pressure the target, and leaks are used to generate profits when payment is not made—either by selling the data or simply destroying the target’s reputation.
10 – RHC: In 2022, Stormous drastically reduced its activities, was there a specific reason?
STORMOUS: This was a result of intense legal pressure on us due to our attacks, whether published or unpublished. However, we have returned stronger than before and aim to ensure a secure infrastructure for our clients, even if it requires temporarily halting our operations.
11 – RHC: You formed some partnerships, such as the one announced on 13 July 2023 with GhostSec to target the Cuban government. Subsequently, some ministries were attacked. Do collaborations in general always bring value?
STORMOUS: Collaborations bring significant benefits if conducted cautiously. Our partnership with GhostSec demonstrates how strategic objectives can be achieved through major targets and large financial gains.
12 – RHC: We often see one of your data leak sites appear and another one close. What is the reason behind this choice?
STORMOUS: Adaptation is essential to avoid tracking and to simplify access for users visiting our blog while ensuring our operations are not disrupted.
13 – RHC: Since you have always used Telegram as a communication base, after the recent changes in the terms of policy by Pavel Durov’s group, will you continue to use the messenger or will you move on to new shores?
STORMOUS: We continuously monitor Telegram’s policies, and if necessary, we will migrate to more secure platforms soon.
14 – RHC: From what we have already seen, groups like Ghosts of Palestine, GlorySec, BF Repo V3 and UserSec are very concerned about this. What is the opinion in the underground about this change of course by Telegram?
STORMOUS: While we respect changes, we choose methods that support our operations and provide us with security. Telegram was one of our primary gateways, but I believe it’s time to operate exclusively through the Tor network.
15 – RHC: In your attack techniques, do you use credentials hacked by infostealers? If so, how much?
STORMOUS: Yes, we use stolen data in our attacks, as it forms a critical part of our strategy.
16 – RHC: What can you technically tell us about a classic Stormous attack process?
STORMOUS: This depends on the working method of the affiliate.
17 – RHC: What is the logic you use to choose a specific target?
STORMOUS: We focus on large companies with valuable data or clear security weaknesses, especially those with limited or no prior cybersecurity measures.
18 – RHC: What guidelines do you provide to your affiliates? Are there any prohibited targets, such as organisations in CIS countries, health facilities, schools or national security institutions?
STORMOUS: (We do not attack many targets, nor do we take a significant percentage from them. This ensures their work falls under the scope of security rather than losing everything.) Currently, we avoid attacking hospitals and schools unless they are part of a larger institution. However, we are attacking hospitals now for several reasons, which we can share later.
19 – RHC: If during your activities you notice that a victim behaves in a way that is considered wrong for a country or goes against your values, how do you act? Do you limit yourself to ransom demands or do you apply additional pressure?
STORMOUS: If values don’t align with our goals, we use leaks to tarnish the target’s reputation alongside demanding ransoms. This is a key aspect of our approach.
20 – RHC: How do you view the current geopolitical situation? The world is creating new walls and these are mainly digital. Can you give us a comment on where we are heading in your opinion?
STORMOUS: I believe the world is turning into a massive cyberwar. We see greater opportunities in exploiting this divide, and so do other groups.
21 – RCH: Many groups criticise the vulnerability of the systems of companies and organisations and often the weak link is human error. We’ve seen LockBit in Operation Cronos that because of a patching problem saw law enforcement infiltrate their infrastructure. How susceptible is a group pursuing illegal cyber activities to the same vulnerabilities?
STORMOUS: Just as companies focus on protection, we work on securing our infrastructure against potential breaches. There’s no difference between a ransomware group and a large corporation if you don’t know how to… I believe you will be taken down quickly. It doesn’t depend on the number of targets or methods but on ensuring the security of the operational structure, which is far more critical than anything else.
22 – RHC: What happens if a victim tries to negotiate a ransom? Do you have a protocol for this type of situation?
STORMOUS: We have a clear negotiation protocol. If a victim tries to negotiate, we begin by assessing their seriousness and willingness to pay. We give them a set deadline to make a reasonable offer. If negotiations are slow or unproductive, we escalate pressure by leaking specific data as a warning, while keeping more sensitive data as leverage. This approach varies depending on the victim or the individual their company assigns for negotiation, as every word they say can change the course of negotiations.
23 – RHC: Tell us 3 RaaS you like and why.
STORMOUS: 1. LockBit**** I admire LockBit’s services for their professionalism and rapid development. They serve as a model in this field. Despite the pressure they face, I respect their operator for past interactions with us and other matters that cannot be shared. I rank Akira and RansomHub in second place.
24 – RHC: If you had to tell a company where to start in order to be resilient to cyber attacks like yours what would you recommend?
STORMOUS: I recommend one thing: Employee training. The human factor is often the first and most critical weak link. This issue must be taken seriously.
25 – RHC: Thank you very much for the interview. We do these interviews to make our readers realise that cybersecurity is a purely technical subject and that in order to be able to win the fight against cybercrime you need to be stronger than you, who are known to often be one step ahead of everyone. Is there anything you would like to say to our readers, or to potential victims of your operations?
STORMOUS: Yes, our commercial operations and the associated attacks are not personal; they result from security negligence. If you care about your clients’ data, reputation, and more, update your systems and take cybersecurity seriously. For potential victims, collaborating with us is the safest option if you want to recover your data quickly and minimize damage. We are not bad, nor are we foolish. As I mentioned before, negotiations depend on the approach of your representative—they can change the outcome for better or worse.
Redazione