A Chinese government-linked group that Microsoft tracks as Storm-0227 yesterday started targeting critical infrastructures organisations and US government agencies, according to Redmond’s threat intel team.

The crew has been active since at least January, and while Microsoft declined to enumerate Storm-0227’s victim count, “there are indicators that this group is active as of yesterday, actively pursuing threat activity,” Sherrod DeGrippo, director of threat intelligence strategy, told The Register.

The espionage crew shares some overlap with Silk Typhoon operatives (aka Hafnium), and other illicit activity that other vendors track as TAG-100. Over the last 12 months, the Chinese spies mostly focused on US targets in the defense industrial base, aviation, telecommunications, financial and legal services industries, plus government and non-governmental agencies.

“They’re a significant threat, particularly because they really do embody the activity of persistence,” DeGrippo said.

Storm-0227 typically gains initial access by exploiting security vulnerabilities in public-facing applications or, since September, with spear phishing emails that contain malicious attachments or links. The goal here is to trick people into opening a document or connecting to a website that downloads SparkRAT, an open-source remote administration tool written in Go that provides persistent access to victims’ machines. The crew appears not to use custom malware.

” DeGrippo said many actors deploy SparkRAT. “Even national-aligned threat actors … are pulling commodity malware out of that trading ecosystem and using it for remote access,” she said.

Even just five years ago, “that was sort of a shocking thing to see a nation-sponsored, espionage-focused threat actor group really leveraging off the shelf malware,” DeGrippo added. “Today we see it very frequently.”

Once they’ve broken in, Storm-0227 gets to work stealing credentials to cloud applications including Microsoft 365 and eDiscovery, a tool used by legal professionals to review documents. Abusing legitimate applications helps the intruders to evade detection – they look like just another user, but the gang uses its access to steal email communications and sensitive files.

DeGrippo said the group uses the data it steals to understand victims’ operations.

“If you have the email communications that go with that file, and reference that file, and talk about what the point of it is, and why they’re using it, what it means, and why I’m sending this to you – it gives a richness to the intelligence gathering that the threat actor is doing,” she said.

Storm-0227’s victims overlap with some of the sectors hit by other Chinese cyber-spy crews like Salt Typhoon (which has attacked telcos around the world) and Volt Typhoon.

DeGrippo said the threat isn’t going away anytime soon.

“China continues to focus on these kinds of targets,” she said. “They’re pulling out files that are of espionage value, communications that are contextual espionage value to those files, and looking at US interests.” ®