How do you know a storm is coming? Look at the clouds. A Cyber Signals report published by Microsoft’s Threat Intelligence team in May detailed how a Moroccan threat actor known as Atlas Lion, or Storm-0539, conducts financial crimes, such as gift card fraud, by abusing cloud services.
Backstory. Storm Atlas typically starts by obtaining free trials and student accounts on cloud service platforms. Another way in is to impersonate nonprofits or charities and ask for “sponsored” or “discounted” services. They then “create virtual machines and launch their operations,” mostly targeting US-based retailers with phishing and smishing campaigns. They’ll exfiltrate data and conduct gift card theft, gather info for future attacks, and continue the process all over again.
IT Brew caught up with Emiel Haeghebaert, a senior hunt analyst on the Microsoft Threat Intelligence team, to discuss the nature of the group and its schemes.
Can you dive a bit more into the aspect of setting up student accounts or free trials on cloud service platforms and what that entails?
“Absolutely. I think all the major cloud providers have trial services or student accounts where you…have to provide your information—maybe a credit card on file, provide an email address, and then you can get, for example, 30 days of access up to $50 of value,” he told IT Brew. “And that $50 is calculated by…what you’re using. So, if you use a virtual machine, and you’re doing all kinds of crazy things on it, that $50 will be gone very quickly.”
The cyber group—which Microsoft first started tracking in 2021—has stolen “up to $100,000 a day at certain companies,” the report also stated.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
How does this free trial structure actually allow them to get what they need?
“So, there’s two key things that I consider [to be] why threat actors would want to use that type of infrastructure. The first is—it’s free. They can come to a cloud provider, get 30 days of access, and use it. Of course, you know, there’s security researchers like myself who watch for this type of fraud, and we can disable it very quickly.”
“The second reason is, in a lot of cases…if they have a free trial, and they create a virtual machine, when they interact with the internet, they are coming from Microsoft IP addresses, because it’s hosted in Azure…So, I think it’s also partially about blending in with legitimate traffic and making it harder for defenders to notice.”
Is there anything particularly unusual or interesting about the group’s behavior?
“I think what’s notable about the group is sort of the cyclical nature of their activity. There’s times when we don’t really see them do a whole lot—there’s times when they come back, and they’re very active,” he said, noting that they saw a 60% uptick in activity around the holidays. “And now in the last few weeks, ahead of the summer months, we also see an uptick worth about 30%.”
“You have to imagine that the cyber criminals are real people in Morocco, and maybe have normal jobs, and they do this on the side,” he said. “The holidays come around, and they say now’s the time to go run our scheme again. So, that’s something to think about.”