Menu
Browse

Cyber Threat Actor: Storm-0558

Aliases: 2 aliases
Actor Type Location Known Incidents
 Icon
Nation State
China
3 incidents
Profile

The threatactor tracked as UNC5221 and also known as Storm-0558 is a China‑based group that has been linked to multiple intrusions against U.S. government entities. Public reporting identifies the actor’s primary targets as federal departments involved in foreign affairs, trade and defense research, indicating a focus on diplomatic and technological sectors. The observed objectives are consistently espionage‑oriented, with operations aimed at harvesting email correspondence, credential data and sensitive research information rather than financial gain or disruptive effects. In early 2024 the group exploited two zero‑day vulnerabilities in Ivanti Connect Secure VPN appliances to gain initial access to MITRE’s research and prototyping network. After bypassing multi‑factor authentication through session hijacking, the attackers used a compromised administrator account to move laterally into the organization’s VMware environment. Within the VMware infrastructure they deployed backdoors and webshells to maintain persistence and to harvest credentials from internal systems.

A separate campaign in mid‑2023 involved the compromise of a Microsoft engineer’s corporate account, which facilitated the theft of approximately sixty thousand emails from ten U.S. State Department mailboxes. The same timeframe saw the actor forging digital authentication tokens for Microsoft Outlook, allowing unauthorized access to unclassified email accounts at the Commerce Department, including the secretary’s mailbox. These token‑forgery techniques enabled the group to read and exfiltrate messages without triggering standard authentication alerts. Attribution to a Chinese state nexus is repeatedly cited in the sources, describing the activity as conducted by state‑linked hackers rather than a criminal enterprise. The combination of zero‑day exploitation, credential theft, token manipulation and the use of stealthy webshells illustrates a tooling style focused on prolonged, low‑visibility access to high‑value targets. Taken together, the publicly reported operations demonstrate a pattern of espionage‑driven intrusions that leverage both software vulnerabilities and identity‑based attacks to achieve sustained access to U.S. government networks.

Incidents
Attributed incidents available to members
3 incidents
Sources
Sources available to members
0 sources