Published on: 2025-04-11

Intelligence Report: Russias Storm-2372 Hits Orgs with MFA Bypass via Device Code Phishing – HackRead

1. BLUF (Bottom Line Up Front)

Russian APT group Storm-2372 has developed a sophisticated method to bypass Multi-Factor Authentication (MFA) using device code phishing. This tactic poses a significant threat to sectors such as government, technology, finance, defense, and healthcare. Immediate action is recommended to enhance cybersecurity measures and awareness to mitigate this threat.

2. Detailed Analysis

The following structured analytic techniques have been applied for this analysis:

General Analysis

Storm-2372 has been identified using a technique known as “device code phishing” to circumvent MFA. This method exploits the OAuth device authorization flow, commonly used by devices like smart TVs, to gain unauthorized access to online accounts. The group sends deceptive messages prompting users to enter a device code on a fake login page, thereby capturing access tokens and refresh tokens. This allows them to maintain access to accounts, particularly Microsoft email, for extended periods without detection.

3. Implications and Strategic Risks

The implications of Storm-2372’s activities are profound, with potential risks to national security, economic interests, and regional stability. The sectors targeted hold critical information and influence, making them prime targets for espionage and disruption. The ability to bypass MFA undermines confidence in current cybersecurity protocols and necessitates urgent reassessment of security strategies.

4. Recommendations and Outlook

Recommendations:

• Enhance user education and awareness programs to recognize phishing attempts and suspicious login requests.
• Implement additional security layers beyond MFA, such as behavioral analytics and anomaly detection.
• Encourage regulatory bodies to update cybersecurity frameworks to address emerging threats like device code phishing.
• Invest in technological advancements that can detect and neutralize phishing sites and unauthorized access attempts.

Outlook:

Best-case scenario: Organizations rapidly adapt to the threat, implementing robust security measures that neutralize the effectiveness of device code phishing.

Worst-case scenario: Failure to address the threat leads to widespread breaches, compromising sensitive information and causing significant economic and reputational damage.

Most likely outcome: A mixed response with some organizations successfully mitigating the threat while others remain vulnerable, leading to selective breaches.

5. Key Individuals and Entities

The report highlights the activities of Storm-2372 and mentions the involvement of cybersecurity researchers from SOCRadar and the documentation by Black Hills in 2023. These entities play a critical role in identifying and analyzing the threat posed by device code phishing.