← All Threat Actors
Threat Actor Profile

Storm-0501

G1053
▲ High Threat
Storm-0501 is a financially motivated cybercriminal group that has been active since 2021, initially targeting US school districts with the Sabbath ransomware and later transitioning to a RaaS model deploying various ransomware strains, including Embargo. The group exploits weak credentials and over-privileged accounts to achieve lateral movement from on-premises environments to cloud infrastructures, establishing persistent backdoor access and deploying ransomware. They have utilized techniques such as credential theft, exploiting vulnerabilities in Zoho ManageEngine and Citrix NetScaler, and employing tools like Cobalt Strike and Rclone for lateral movement and data exfiltration. Storm-0501 has specifically targeted sectors such as government, manufacturing, transportation, and law enforcement in the United States.
Origin

Known TTPs

Remote Desktop Software
Transfer Data to Cloud Account
Inhibit System Recovery
Group Policy Modification
Data from Cloud Storage
PowerShell
Data Destruction
Scheduled Task
Cloud Account
DCSync
Cloud Service Discovery
Exfiltration to Cloud Storage
Cloud API
Cloud Services
Windows Remote Management
Exploit Public-Facing Application
Process Discovery
Security Software Discovery
Data Encrypted for Impact
Financial Theft
Cloud Accounts
Regsvr32
Cloud Secrets Management Stores
Password Managers
Trust Modification
Cloud Infrastructure Discovery
Domain Trust Discovery
Delete Cloud Instance
System Information Discovery
Software Packing
System Language Discovery
Private Keys
Masquerade Task or Service
Additional Cloud Roles
Domain Account
Rundll32
Digital Certificates
Vulnerabilities
Conditional Access Policies
OS Credential Dumping
Brute Force
Additional Cloud Credentials

External Resources

CISA Advisories ↗

Related Intelligence

Hacking the mainframe…

LINK COPIED TO CLIPBOARD