Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Stormous: The Pro-Russian, Clout Hungry Ransomware Gang Targets the US and Ukraine

May 2 Stormous update: The Trustwave SpiderLabs team has noted Stormous’ underground website became inaccessible on April 29. At this time it is not known why the site is down. We will continue to monitor for additional threat intelligence.

18651_offline-image

As part of our regular Dark Web and cybercriminal research, Trustwave SpiderLabs has uncovered and analyzed postings from a  politically motivated, pro-Russian ransomware group named Stormous. The group has recently proclaimed support for Russia in its war with Ukraine, attacking the Ukraine Ministry of Foreign Affairs and allegedly obtaining and making public phone numbers, email addresses, and national identity cards. But the group also claims to have a successful ransomware operation and has taken responsibility for cyber attacks on major American brands Coca-Cola, Mattel and Danaher. In total, Stormous claims to have already accessed and defaced 700 U.S. websites and attacked 44 American companies.

As of April 29, the group has listed the Coca-Cola data for sale on its Dark Web site. At the time of publishing, Coca-Cola has neither confirmed nor denied whether the data listed is legitimate. Most recently, the gang has promised to release additional stolen information from multinational toy manufacturer Mattel and medical diagnostics and healthcare technology company Danaher on May 1.

 

18644_picture1f

Stormous’ announcement of the Coca-Cola data for sale and teasing new data dumps from other US companies

 

Who Is Stormous and Where Does Its Allegiance Lie?

Stormous, which may have begun operating as early as mid-2021, has posted a mission statement stating its objective is to attack targets in the U.S. and other western nations. This goal shifted in 2022, adding Ukraine and India to its target list. The way they discuss countries as their targets as opposed to specific businesses or industries suggests that politics more influence these shifts in targets than financial gain.

 

18646_picture2f

Screenshot from the Stormous Dark Web page

 

Our initial analysis of Stormous indicates the gang likely has members located in Mid-Eastern countries and Russia.  Some of the group's postings are written in Arabic along with its public pro-Russian stance, which is consistent with the region. Moreover, two of the group's members that were arrested were from mid-eastern countries.

The group communicates through a Telegram channel and an .onion website on Tor. There is little chatter on the Telegram channel, with the conversation mainly comprised of the group’s proclamations. While the group identifies itself as a ransomware group, it is not operating as a Ransomware-as-a-Service (RaaS), and it’s not known what type of ransomware it may be using in their campaigns

The group's motivating principles and behavior somewhat resemble the Lapsus$ hacker group, which targets entities mainly in the Western hemisphere. Like Lapsus$, Stormous is quite “loud” online and looks to attract attention to itself, making splashy proclamations on the Dark Web and utilizing Telegram to communicate with its audience and organize to determine who to hack next.

Click-Bait or Serious Business?

Stormous has stated that on May 1, it will put up for sale data allegedly exfiltrated from toy manufacturer Mattel and Danaher, a global science and technology innovator. However, the group did not define the type or amount of data it had taken, and neither Mattel nor Danaher reported suffering a related cyber incident.

Stormous has already claimed responsibility for an alleged attack on the Coca-Cola Corp that it claims garnered 161GB of data. The group began selling the data on April 24 for 1.6 BTC, or about $64,000.

 

18647_picture3f

Screenshot purporting to be stolen data from Coca-Cola, which shows passwords and name accounts.

 

The soft drink giant has confirmed that it has contacted law enforcement and is investigating a cyber incident but has so far offered no details on what might have transpired, according to Security Week.

The screenshot from Stormous site shows that the data it sells includes files with names such as accounts.zip and passwords.txt. If those files indeed contain the content that their names imply, then that content can be used by hackers for exploring additional ways to connect to Coca Cola's networks in an unauthorized way.

There is some debate within the cybersecurity community on the validity of Stormous’ claims, specifically in relation to the Coca-Cola hack. The community questions whether or not the group has truly breached the companies named and exfiltrated data or if it’s merely scavenging previously stolen or public information. For example, Mattel announced in November 2020, that it had been successfully hit by a ransomware attack earlier that year. The Stormous attackers could be simply compiling this already stolen data and packaging it as a ‘new’ breach in an attempt to earn quick money.

Stormous has also claimed to have successfully attacked several targets in India and Saudi Arabia and possibly a Chinese government site.

 

18648_picture4g

Stormous’ logo wall of alleged victims

 

Stormous is also representative of another recent trend that sees threat actors creating a "corporate-like" structure and business model. In this case, perhaps because Stormous is relatively new to the scene, its postings and communications appear to be a brand-building exercise. Also, by pre-announcing the availability of supposedly stolen data, the group is trying to hype demand as any company might do with a new product. Finally, by taking a political stance, it likely hopes to attract supporters with similar viewpoints.

Politically Motivated Targeted Attacks

Stormous has posted its support for Russia and is claiming to have attacked the Ukraine Ministry of Foreign Affairs, obtaining and making public phone numbers, email addresses, and national identity cards. However, this attack, like the others, has not been corroborated.

 

18645_picture5g

Stormous’ official statement on its support for Russia

 

Stormous' actions are not unique. Since the Russia-Ukraine war started on Feb. 14, threat groups have been lining up to support each side. Trustwave SpiderLabs reported on this activity soon after hostilities broke out.

Multiple sources have used Facebook and other social media outlets to try and gather a force to conduct these attacks. Most notably, Yegor Aushev, co-founder of a cybersecurity company in Kyiv, told Reuters he wrote a post calling for underground cyber defenders at the request of a senior Ukrainian Defense Ministry official who contacted him.  

Trustwave SpiderLabs has observed similar calls to cyber arms on the Dark Web. These include links to groups organizing to attack Russian entities, sites containing instructions on how to conduct a DDoS attack, and a recommended DDoS attack target list. 

 

18649_picture6h

A message in Arabic from the Stormous Telegram channel stating it had attacked the Ukraine Ministry of Foreign Affairs

 

The Stormous group has also signaled that it won’t stand by and allow other entities, such as ransomware groups, to attack Russia. Stormous has declared it will respond to any attack against Russia, noting that if the attacks on Russia stop then, Stormous will halt its efforts.

 

18643_picture7h

A note from the Stormous Telegram channel

 

A New Age of Cybercriminal

The new style of threat group Stormous represents, being unafraid of -- and in fact seeking public adulation -- can make its members more susceptible to being found and arrested.

While there may be an upside from a clout and branding perspective to making hacking activities public, law enforcement can use communications information to bring cybercriminals more swiftly to justice.

Trustwave SpiderLabs will continue to track the threat of Stormous and group’s activities as more information becomes available.

 

Latest SpiderLabs Blogs

Hunting For Integer Overflows In Web Servers

Allow me to set the scene and start proceedings off with a definition of an integer overflow, according to Wikipedia:

Read More

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More