Threat Intelligence Garden

Storm-0558

2 min read

Storm-0558

Description

(Microsoft) Historically, this threat actor has displayed an interest in targeting media companies, think tanks, and telecommunications equipment and service providers. The objective of most Storm-0558 campaigns is to obtain unauthorized access to email accounts belonging to employees of targeted organizations. Storm-0558 pursues this objective through credential harvesting, phishing campaigns, and OAuth token attacks. This threat actor has displayed an interest in OAuth applications, token theft, and token replay against Microsoft accounts since at least August 2021. Storm-0558 operates with a high degree of technical tradecraft and operational security. The actors are keenly aware of the target’s environment, logging policies, authentication requirements, policies, and procedures. Storm-0558’s tooling and reconnaissance activity suggests the actor is technically adept, well resourced, and has an in-depth understanding of many authentication techniques and applications.

While we have discovered some minimal overlaps with other Chinese groups such as Violet Typhoon (APT 31, Judgment Panda, Zirconium), we maintain high confidence that Storm-0558 operates as its own distinct group.

Names

NameName-Giver
Storm-0558Microsoft
Antique TyphoonMicrosoft

Country

Motivation

  • Information theft and espionage

First Seen

2023

Observed Sectors

Observed Countries

Tools

Information

Other Information

Uuid

23e2ccea-9daa-415a-a72d-b242bbdb3782

Last Card Change

2025-06-28

Graph View

Backlinks