December 2023: The Initial Disruption

Last December, insights from the Arkose Cyber Threat Intelligence Research (ACTIR) unit partnered with the Microsoft Digital Crimes Unit to disrupt the notorious cybercrime group, Storm-1152. A U.S. court authorized the seizure of Storm-1152 websites, aiming to disrupt their infrastructure, seize domain names, and hold the bad actors accountable.

One month later Storm-1152 resurfaced with a new domain, RockCAPTCHA.com, and in ways that made their operations harder not only to detect but also for its attacker customer base to access it. Storm-1152 used to be a publicly available service where an attacker could simply access it and transact. After the initial December disruption, the threat actors behind Storm-1152 then shifted so that its websites were only accessible from within Vietnam by VPN.

This renewed activity validates several premises we’ve consistently observed among cybercriminals of this type: 

1) Bad actors are the early adopters of AI 

2) Cybercrime-as-a-service is too lucrative of a business model for bad actors to just give up 

3) Imposing real-world consequences forces bad actors to change their behaviors.

Last week, Microsoft seized the infrastructure that Storm-1152 had been rebuilding since late January.

ACTIR and the broader team at Arkose Labs partnered with many different functions across Microsoft to disrupt Storm-1152 for a second time, including the Microsoft Digital Crimes Unit and Sean Farrell, lead counsel, cybercrime enforcement. Farrell commented on the second disruption: “We must continue to be persistent and take actions that make it harder for criminals to make money. This is why we filed a second suit to take control of this new domain. We need to send a message that we will not tolerate activity that seeks to harm our customers and individuals online.” 

Telegram communities lit up in disbelief and disappointment upon the realization that Storm-1152’s domain had been seized, reflecting its popularity and the dark web’s dependence on it to be able to conduct online attacks and cause harm. 

Storm-1152: The Second Act

ACTIR, which conducts proactive threat hunting, risk analysis gathering and other counterintelligence methods to provide vital, fresh intelligence, closely monitored Storm-1152’s attempts to rebuild their services. The unit first observed the Storm-1152 reconstitution in late January 2024. The speed at which the threat actor group resurfaced is a testament to how lucrative this type of nefarious activity really is. 

For months, Storm-1152 developed advanced methods such as an increased use of AI in an attempt to bypass security methods. As our Head of Product Vikas Shetty explained, the group used AI to “synthetically generate human-like signatures,” which means they could effectively mimic legitimate user behaviors and evade detection by the traditional security systems designed to identify malicious bots. This sophisticated use of AI allowed them to stay one step ahead, making it increasingly challenging for legacy cybersecurity measures to detect and stop their activities.

Storm-1152 Double Downs on AI

Storm-1152 made significant advancements to build tools that use AI to evade cybersecurity defenses implemented to differentiate humans from automated bots. Previously, attackers relied on off-the-shelf AI models for object detection to bypass defenses, but these models proved insufficient against custom-built and robust cybersecurity stacks. 

To overcome this impediment, Storm-1152 started developing their own AI models, using computer vision technologies that enable bots to evade detection and sidestep being mitigated out of various flows, like account registration, a task that requires advanced AI capabilities and experts with deep knowledge in machine learning and AI. The ACTIR unit also had observed Storm-1152 using generative AI for detection evasion.

Recognizing the need for AI expertise, Storm-1152 actively recruited top-tier AI talent. The group sought highly skilled AI engineers, including higher education students and professors in countries like Vietnam, who were working to develop AI models that could adapt to and overcome the evolving characteristics of various cybersecurity systems and protocols. 

In particular, a professor with a machine learning background was noted for their contributions in 2022, highlighting the high level of expertise within the group. The threat actors’ ability to tune and adapt AI models for specific mitigation technologies demonstrates their deep understanding of AI and its practical applications in cyber attacks.

Ecosystem of AI-Driven Cyber Attacks

This high level of expertise was supported by a comprehensive ecosystem that not only focused on developing AI models but also on the crucial task of collecting training data. Storm-1152’s experts gathered images and other data necessary for training AI models to solve various types of defensive measures. This approach ensured that the models would be continuously updated and refined to maintain their effectiveness. 

Moreover, the attackers used a different threat actor group that ACTIR had identified and dubbed Greasy Opal. It operates as a Cyber Attack Enablement business and made it easy for Storm-1152 to access and integrate AI models into their attack strategies. While third-party tools like Greasy Opal provided a commercial solution, they often lagged behind rapidly evolving cybersecurity technologies. As a result, Storm-1152 shifted toward building their models in-house, further enhancing their capabilities.

Implications for Cybersecurity and a Call to Action

The resurgence of Storm-1152 underscores the evolving nature of cyber threats. As these groups continue to evolve, so too must the defenses designed to protect against them. For instance, here at Arkose Labs we are harnessing the power of AI to defeat cybercriminals through the use of AI-resistant challenges, behavioral biometrics, device spoofing detection, and other modern technologies. And we continue to work with Microsoft’s Digital Crimes Unit (DCU) to combat these ever-evolving threats and not only safeguard the digital landscape but also inflict real-world consequences on cybercriminals.  

The cyber threat landscape is complex. To that end, we invite you to explore our threat actor taxonomy, a coherent framework designed to define, enhance understanding of various cyber threats, stimulate knowledge sharing, advance threat intelligence analysis and inform proper countermeasures.

*** This is a Security Bloggers Network syndicated blog from Arkose Labs authored by Kevin Gosschalk. Read the original post at: https://www.arkoselabs.com/blog/storm-1152-continuing-battle-against-cybercrime/