Microsoft's latest threat intelligence blog issues a warning to all organizations about Storm-0501's recent shift in tactics, targeting, and backdooring hybrid cloud environments.
Using a bevy of tactics to achieve its goals, Storm-0501 has a tendency to take control of entire networks via cloud compromises. Members first gain access to on-prem environments before pivoting to the cloud, implanting backdoors for persistent access, and deploying ransomware.
Active since 2021, Storm-0501 is still regarded as an emerging group in Microsoft's view, hence the "Storm" naming convention reserved for groups still in development.
Despite its fledgling status, the group has been prolific in carrying out ransomware attacks as a member of the LockBit, ALPHV, Hive, and Hunters International ransomware affiliate programs.
More recently, Microsoft spotted it deploying Embargo's ransomware payload, and separately compared it to more established, financially motivated groups such as Octo Tempest (Scattered Spider) and Manatee Tempest (Evil Corp).