Microsoft has aggressively pursued legal measures to dismantle Storm-1152’s network, seizing its US-based infrastructure, shutting down key websites, and rigorously investigating to identify the individuals responsible for the group’s activities. Credit: G-Stock Studio / Shutterstock Marking a major step in the fight against cybercrime, Microsoft has initiated action against Storm-1152, a group that offers a “cybercrime-as-a-service” network. The company has aggressively pursued legal measures to dismantle Storm-1152’s network, seizing its US-based infrastructure, shutting down key websites, and rigorously investigating to identify the individuals responsible for the group’s activities. “Storm-1152 runs illicit websites and social media pages, selling fraudulent Microsoft accounts and tools to bypass identity verification software across well-known technology platforms,” Amy Hogan-Burney, GM and associate general counsel for cybersecurity policy and protection at Microsoft, said in a blog post. “These services reduce the time and effort needed for criminals to conduct a host of criminal and abusive behaviors online.” Storm-1152 has generated about 750 million fake Microsoft accounts for sale, distinguishing itself as a particularly severe threat. Unlike other groups, they provide cybercriminals with easy access to fake accounts. This convenience enables criminals to concentrate on activities such as phishing, spamming, ransomware, and various other frauds and abuses. Efforts to slow down cybercrime Microsoft’s actions follow a recent court order from the Southern District of New York, authorizing the company to seize US-based infrastructure and websites used by Storm-1152. The measures included seizing Hotmailbox.me and disrupting services like 1stCAPTCHA, AnyCAPTCHA, and NoneCAPTCHA, as well as targeting the social media platforms used for promoting these services.“With today’s action, our goal is to deter criminal behavior,” Hogan-Burney said. “By seeking to slow the speed at which cybercriminals launch their attacks, we aim to raise their cost of doing business while continuing our investigation and protecting our customers and other online users.” Microsoft Threat Intelligence has found several groups using Storm-1152’s fake accounts for ransomware and other cybercrimes. Notably, the group Octo Tempest utilized these accounts for international financial extortion. Microsoft is also monitoring other groups like Storm-0252 and Storm-0455, who have similarly employed Storm-1152’s services for more effective cyberattacks. Identifying the people behind attacks Microsoft has identified the people behind Storm-1152’s operations – Duong Dinh Tu, Linh Van Nguyễn (also known as Nguyễn Van Linh), and Tai Van Nguyen – based in Vietnam. In the blog post, Microsoft posted a screenshot of Duong’s YouTube channel with “how-to videos” to bypass security measures. “Our findings show these individuals operated and wrote the code for the illicit websites, published detailed step-by-step instructions on how to use their products via video tutorials, and provided chat services to assist those using their fraudulent services,” Hogan-Burney said. Microsoft worked with Arkose Labs to investigate and take action against the group. In the blog post, Kevin Gosschalk, founder and CEO of Arkose Labs, said that Storm-1152 raised significant concern due to their method that allowed profiting by enabling complex attacks. He noted the group is unique in operating its ‘Cybercrime-as-a-Service’ openly, rather than on the dark web, offering training and customer support for its tools. Related content news AT&T suffers critical breach impacting 73 million customers Data released on the dark web impacts 7.6 million existing account holders and 65.4 million past subscribers. By Shweta Sharma 01 Apr 2024 4 mins Data Breach feature Recruit for diversity: Practical ways to remove bias from the hiring process Changing the wording on job descriptions and introducing a diverse hiring panel are some of the ways to remove bias when hiring cybersecurity professionals. By Aimee Chanthadavong 01 Apr 2024 8 mins Careers feature The CSO guide to top security conferences Tracking postponements, cancellations, and conferences gone virtual — CSO Online’s calendar of upcoming security conferences makes it easy to find the events that matter the most to you. By CSO Staff 01 Apr 2024 17 mins Technology Industry IT Skills Events news Top cybersecurity product news of the week New product and service announcements from Bedrock Security, GitGuardian, Legit Security, Nametag, and Cybereason and Observe By CSO staff 29 Mar 2024 70 mins Generative AI Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe