🇨🇳

Storm-2077

APT Group Information theft and espionage 3 zero-day CVEs ETDA ✓

Also Known As 3 names

Storm-2077 TAG-100 RedNovember

Target Countries 15

Countries highlighted in red

Plurinational State of Bolivia Cuba Djibouti Dominican Republic Fiji France Indonesia Italy Japan Cambodia Malaysia Netherlands Province of China Taiwan United States Vietnam

Sectors Targeted

Government Telecommunications 517 Embassies Space Research and Technology 927 Religious Organizations 8131 Finance and Insurance 52 High-Tech National Security and International Affairs 928 Financial Professional, Scientific, and Technical Services 54

Details

Origin 🇨🇳 CN

Last Updated 25 Nov 2024

MITRE ATT&CK 15

T1036 - Masquerading T1046 - Network Service Scanning T1055 - Process Injection T1068 - Exploitation for Privilege Escalation T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol T1190 - Exploit Public-Facing Application T1204 - User Execution T1530 - Data from Cloud Storage Object T1566 - Phishing T1571 - Non-Standard Port T1583 - Acquire Infrastructure T1589 - Gather Victim Identity Information T1590 - Gather Victim Network Information T1598.003 - Spearphishing via Service

Related Zero-Days 3

CVE-2022-30190 CVE-2024-24919 CVE-2024-3400

Known Names 2 entries

TAG-100 Recorded Future

Storm-2077 Microsoft

Observed Target Countries 16

Based on ETDA data — countries highlighted in red

Bolivia Cambodia Cuba Djibouti Dominican Republic Fiji France Indonesia Italy Japan Malaysia Netherlands Taiwan UK USA Vietnam

Description

(Recorded Future) Recorded Future’s Insikt Group identified new suspected cyber-espionage activity targeting high-profile government, intergovernmental, and private sector organizations globally. This activity, which we are tracking under the temporary group designator TAG100, has employed open-source remote access capabilities and exploited a wide range of internet-facing appliances for initial access. Using Recorded Future® Network Intelligence data, Insikt Group identified the likely compromise of the secretariats of two major Asia-Pacific intergovernmental organizations by TAG100 using the open-source, multi-platform Go backdoor Pantegana. Other targeted organizations include multiple diplomatic entities and ministries of foreign affairs, as well as industry trade associations and semiconductor supply-chain, non-profit, and religious organizations globally. At this time, Insikt Group is continuing to explore potential attribution for this activity; however, the specific targeting and victimology identified align with a suspected espionage motive.

Tools Used 5

Cobalt Strike CrossC2 LESLIELOADER Pantegana SparkRAT

Reports & References 2

https://go.recordedfuture.com/hubfs/reports/cta-2024-0716.pdf https://www.microsoft.com/en-us/security/blog/2024/11/22/microsoft-shares-latest-intelligence-on-north-korean-and-chinese-threat-actors-at-cyberwarcon/

ETDA Profile

TAG-100

Origin

China

First Seen 2024

Sponsor State-sponsored

Motivation

Information theft and espionage

View on ETDA APT Groups ↗