December 2023: The Initial Disruption
Last December, insights from the Arkose Cyber Threat Intelligence Research (ACTIR) unit were instrumental in helping the Microsoft Digital Crimes Unit to disrupt the notorious cybercrime group Storm-1152. A U.S. court authorized the seizure of Storm-1152 websites, aiming to disrupt its infrastructure, seize domain names, and hold the bad actors accountable.
One month later Storm-1152 resurfaced with a new domain, RockCAPTCHA.com, and in ways that made its operations harder not only to detect but also for its attacker customer base to access it. Storm-1152 used to be a publicly available service where an attacker could simply access the websites and transact. After the initial December disruption, the threat actors behind Storm-1152 then shifted so that its websites were only accessible from within Vietnam by VPN.
This renewed activity validates several premises we’ve consistently observed among cybercriminals of this type:
1) Bad actors are the early adopters of AI.
2) Cybercrime-as-a-service is too lucrative of a business model for bad actors to just give up.
3) Imposing real-world consequences forces bad actors to change their behaviors.
Last week, Microsoft seized the infrastructure that Storm-1152 had been rebuilding since late January.
ACTIR and the broader team at Arkose Labs partnered with many different functions across Microsoft to disrupt Storm-1152 for a second time, including the Microsoft Digital Crimes Unit and Sean Farrell, lead counsel, cybercrime enforcement. Farrell commented on the second disruption: “We must continue to be persistent and take actions that make it harder for criminals to make money. This is why we filed a second suit to take control of this new domain. We need to send a message that we will not tolerate activity that seeks to harm our customers and individuals online.”
Telegram communities lit up in disbelief and disappointment upon the realization that Storm-1152’s domain had been seized, reflecting its popularity and the dark web’s dependence on it to be able to conduct online attacks and cause harm.
Storm-1152: The Second Act
ACTIR, which conducts proactive threat hunting, risk analysis gathering and other counterintelligence methods to provide vital, fresh intelligence, closely monitored Storm-1152’s attempts to rebuild its services. The unit first observed the Storm-1152 reconstitution in late January 2024. The speed at which the threat actor group resurfaced is a testament to how lucrative this type of nefarious activity really is.
For months, Storm-1152 developed advanced methods such as an increased use of AI in an attempt to bypass security methods. As our Head of Product Vikas Shetty explained, the group used AI to “synthetically generate human-like signatures,” which means it could effectively mimic legitimate user behaviors and evade detection by the traditional security systems designed to identify malicious bots. This sophisticated use of AI allowed Storm-1152 to stay one step ahead, making it increasingly challenging for legacy cybersecurity measures to detect and stop its activities.
Storm-1152 Doubles Down on AI
Storm-1152 made significant advancements to build tools that use AI to evade cybersecurity defenses implemented to differentiate humans from automated bots. Previously, attackers relied on off-the-shelf AI models for object detection to bypass defenses, but these models proved insufficient against custom-built and robust cybersecurity stacks.
To overcome this impediment, Storm-1152 started developing its own AI models, using computer vision technologies that enable bots to evade detection and sidestep being mitigated out of various flows, like account registration, a task that requires advanced AI capabilities and experts with deep knowledge in machine learning and AI. The ACTIR unit also had observed Storm-1152 using generative AI for detection evasion.
Recognizing the need for AI expertise, Storm-1152 actively recruited top-tier AI talent. The group sought highly skilled AI engineers, including higher education students and professors in countries like Vietnam, who were working to develop AI models that could adapt to and overcome the evolving characteristics of various cybersecurity systems and protocols.
In particular, a professor with a machine learning background was noted for their contributions in 2022, highlighting the high level of expertise within the group. The threat actor's ability to tune and adapt AI models for specific mitigation technologies demonstrates their deep understanding of AI and its practical applications in cyberattacks.
Ecosystem of AI-Driven Cyberattacks
This high level of expertise was supported by a comprehensive ecosystem that not only focused on developing AI models but also on the crucial task of collecting training data. Storm-1152’s experts gathered images and other data necessary for training AI models to solve various types of defensive measures. This approach ensured that the models would be continuously updated and refined to maintain their effectiveness.
Moreover, the attackers used a different threat actor group that ACTIR had identified and dubbed Greasy Opal. It operates as a Cyber Attack Enablement business and made it easy for Storm-1152 to access and integrate AI models into its attack strategies. While third-party tools like Greasy Opal provided a commercial solution, it often lagged behind rapidly evolving cybersecurity technologies. As a result, Storm-1152 shifted toward building its models in-house, further enhancing its capabilities.
Implications for Cybersecurity and a Call to Action
The resurgence of Storm-1152 underscores the evolving nature of cyber threats. As these groups continue to evolve, so too must the defenses designed to protect against them. For instance, here at Arkose Labs we are harnessing the power of AI to defeat cybercriminals through the use of AI-resistant challenges, behavioral biometrics, device spoofing detection, and other modern technologies. And we continue to work with Microsoft’s Digital Crimes Unit (DCU) to combat these ever-evolving threats and not only safeguard the digital landscape but also inflict real-world consequences on cybercriminals.
The cyber threat landscape is complex. To that end, we invite you to explore our threat actor taxonomy, a coherent framework designed to define, enhance understanding of various cyber threats, stimulate knowledge sharing, advance threat intelligence analysis and inform proper countermeasures.
Share The Blog
