Microsoft has aggressively pursued legal measures to dismantle Storm-1152’s network, seizing its US-based infrastructure, shutting down key websites, and rigorously investigating to identify the individuals responsible for the group’s activities.
Marking a major step in the fight against cybercrime, Microsoft has initiated action against Storm-1152, a group that offers a “cybercrime-as-a-service” network.
The company has aggressively pursued legal measures to dismantle Storm-1152’s network, seizing its US-based infrastructure, shutting down key websites, and rigorously investigating to identify the individuals responsible for the group’s activities.
“Storm-1152 runs illicit websites and social media pages, selling fraudulent Microsoft accounts and tools to bypass identity verification software across well-known technology platforms,” Amy Hogan-Burney, GM and associate general counsel for cybersecurity policy and protection at Microsoft, said in a blog post. “These services reduce the time and effort needed for criminals to conduct a host of criminal and abusive behaviors online.”
Storm-1152 has generated about 750 million fake Microsoft accounts for sale, distinguishing itself as a particularly severe threat. Unlike other groups, they provide cybercriminals with easy access to fake accounts. This convenience enables criminals to concentrate on activities such as phishing, spamming, ransomware, and various other frauds and abuses.
Efforts to slow down cybercrime
Microsoft’s actions follow a recent court order from the Southern District of New York, authorizing the company to seize US-based infrastructure and websites used by Storm-1152. The measures included seizing Hotmailbox.me and disrupting services like 1stCAPTCHA, AnyCAPTCHA, and NoneCAPTCHA, as well as targeting the social media platforms used for promoting these services.
“With today’s action, our goal is to deter criminal behavior,” Hogan-Burney said. “By seeking to slow the speed at which cybercriminals launch their attacks, we aim to raise their cost of doing business while continuing our investigation and protecting our customers and other online users.”
Microsoft Threat Intelligence has found several groups using Storm-1152’s fake accounts for ransomware and other cybercrimes. Notably, the group Octo Tempest utilized these accounts for international financial extortion. Microsoft is also monitoring other groups like Storm-0252 and Storm-0455, who have similarly employed Storm-1152’s services for more effective cyberattacks.
Identifying the people behind attacks
Microsoft has identified the people behind Storm-1152’s operations – Duong Dinh Tu, Linh Van Nguyen (also known as Nguyen Van Linh), and Tai Van Nguyen – based in Vietnam. In the blog post, Microsoft posted a screenshot of Duong’s YouTube channel with “how-to videos” to bypass security measures.
“Our findings show these individuals operated and wrote the code for the illicit websites, published detailed step-by-step instructions on how to use their products via video tutorials, and provided chat services to assist those using their fraudulent services,” Hogan-Burney said.
Microsoft worked with Arkose Labs to investigate and take action against the group. In the blog post, Kevin Gosschalk, founder and CEO of Arkose Labs, said that Storm-1152 raised significant concern due to their method that allowed profiting by enabling complex attacks. He noted the group is unique in operating its ‘Cybercrime-as-a-Service’ openly, rather than on the dark web, offering training and customer support for its tools.
