Skip to main content Why Microsoft Security AI-powered cybersecurity Cloud security Data security & governance Identity & network access Privacy & risk management Security for AI Unified SecOps Zero Trust Microsoft Defender Microsoft Entra Microsoft Intune Microsoft Priva Microsoft Purview Microsoft Sentinel Microsoft Security Copilot Microsoft Entra ID (Azure Active Directory) Microsoft Entra Agent ID Microsoft Entra External ID Microsoft Entra ID Governance Microsoft Entra ID Protection Microsoft Entra Internet Access Microsoft Entra Private Access Microsoft Entra Permissions Management Microsoft Entra Verified ID Microsoft Entra Workload ID Microsoft Entra Domain Services Azure Key Vault Microsoft Sentinel Microsoft Defender for Cloud Microsoft Defender XDR Microsoft Defender for Endpoint Microsoft Defender for Office 365 Microsoft Defender for Identity Microsoft Defender for Cloud Apps Microsoft Security Exposure Management Microsoft Defender Vulnerability Management Microsoft Defender Threat Intelligence Microsoft Defender Suite for Business Premium Microsoft Defender for Cloud Microsoft Defender Cloud Security Posture Mgmt Microsoft Defender External Attack Surface Management Azure Firewall Azure Web App Firewall Azure DDoS Protection GitHub Advanced Security Microsoft Defender for Endpoint Microsoft Defender XDR Microsoft Defender for Business Microsoft Intune core capabilities Microsoft Defender for IoT Microsoft Defender Vulnerability Management Microsoft Intune Advanced Analytics Microsoft Intune Endpoint Privilege Management Microsoft Intune Enterprise Application Management Microsoft Intune Remote Help Microsoft Cloud PKI Microsoft Purview Communication Compliance Microsoft Purview Compliance Manager Microsoft Purview Data Lifecycle Management Microsoft Purview eDiscovery Microsoft Purview Audit Microsoft Priva Risk Management Microsoft Priva Subject Rights Requests Microsoft Purview Data Governance Microsoft Purview Suite for Business Premium Microsoft Purview data security capabilities Pricing Services Partners Cybersecurity awareness Customer stories Security 101 Product trials How we protect Microsoft Industry recognition Microsoft Security Insider Microsoft Digital Defense Report Security Response Center Microsoft Security Blog Microsoft Security Events Microsoft Tech Community Documentation Technical Content Library Training & certifications Compliance Program for Microsoft Cloud Microsoft Trust Center Security Engineering Portal Service Trust Portal Microsoft Secure Future Initiative Business Solutions Hub Contact Sales Start free trial Microsoft Security Azure Dynamics 365 Microsoft 365 Microsoft Teams Windows 365 Microsoft AI Azure Space Mixed reality Microsoft HoloLens Microsoft Viva Quantum computing Sustainability Education Automotive Financial services Government Healthcare Manufacturing Retail Find a partner Become a partner Partner Network Microsoft Marketplace Marketplace Rewards Software development companies Blog Microsoft Advertising Developer Center Documentation Events Licensing Microsoft Learn Microsoft Research View Sitemap

Tags

Content types

Topics

The Microsoft Security Intelligence Report (SIR) provides a regular snapshot of the current threat landscape, using data from more than 600 million computers worldwide.

The latest report (SIRv19) was released this week and includes a detailed analysis of the actor group STRONTIUM – a group that uses zero-day exploits to collect the sensitive information of high-value targets in government and political organizations.

Since 2007, the group has targeted:

  • Government bodies
  • Diplomatic institutions
  • Military forces and installations
  • Journalists
  • Political advisors and organizations

Attack vectors: How they manage to get in

A STRONTIUM actor attack usually has two components:

  1. A spear phishing attempt that targets specific individuals within an organization. This phishing attempt is used to gather information about potential high-value targets and steal their login credentials.
  2. A second phase that attempts to download malware using software vulnerabilities to further infect the target computers and spread through networks.

Spear phishing

We estimate the STRONTIUM actor targeted several thousand people with spear phishing attacks during the first half of 2015. The goal of the spam email attack is to get a list of high-value individuals with access to sensitive information.

The phishing email usually attempts to trick the target into believing there has been an unauthorized user accessing their account.

The email includes a link to a website under the attacker’s control that prompts the victim to change their password. If the attack is successful, the stolen credentials can be used to access the victim’s email account.

Visiting the malicious website can also send sensitive information to the attacker, even when no credentials are entered. The sensitive information can include details of the victim’s PC -including its IP address, browser and operating system versions, and any browser add-ons installed. This information can be used to target the individual with software exploits.

Malware downloads

The second phase of a STRONTIUM actor attack is to install malware on the compromised machine in an attempt to gain access to other machines on the network.

Usually, the malware is installed through a malicious link in an email. However, we have also seen social networks used to spread malicious links. The highly-targeted emails use current events, such as an upcoming conference, to entice the victim to click a link for “additional information”. The email is sent from well-known email providers and sender names that are designed to look credible.

When the link is clicked, a drive-by-download attack is launched using software vulnerabilities. The attacks often use zero-day exploits that target vulnerabilities for which the affected software vendor has not yet released a security update.

If the attack is successful the attacker tries to compromise other machines within the targeted organization to gather more sensitive information.

See the Microsoft Security Intelligence Report (SIRv19) for more technical details on the methods used by STRONTIUM.

Preventing attacks

You can reduce the likelihood of a successful compromise in a number of ways. Use an up-to-date real-time security product, such as Windows Defender for Windows 10.

In an enterprise environment you should also:

  • Keep all your software up-to-date and deploy security updates as soon as possible
  • Enforce segregation of privileges on user accounts and apply all possible safety measures to protect administrator accounts from compromise
  • Conduct enterprise software security awareness training, and build awareness about malware infection prevention
  • Institute multi-factor authentication

TheMicrosoft Security Intelligence Report (SIRv19) has more advice and detailed analysis of STRONTIUM, as well as other information about malware and unwanted software.

The Microsoft Malware Protection Center’s November Threat Intelligence Report also includes detailed information, resources, and advice to mitigate the risk of advanced persistent threats (APTs).

Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity.

Microsoft Defender Security Research Team

See Microsoft Defender Security Research Team posts

Related posts

Get started with Microsoft Security

Protect your people, data, and infrastructure with AI-powered, end-to-end security from Microsoft.

Learn how

Connect with us on social

Surface Pro Surface Laptop Surface Laptop Studio 2 Copilot for organizations Copilot for personal use AI in Windows Explore Microsoft products Windows 11 apps Account profile Download Center Microsoft Store support Returns Order tracking Certified Refurbished Microsoft Store Promise Flexible Payments Microsoft in education Devices for education Microsoft Teams for Education Microsoft 365 Education How to buy for your school Educator training and development Deals for students and parents AI for education
Microsoft AI Microsoft Security Dynamics 365 Microsoft 365 Microsoft Power Platform Microsoft Teams Microsoft 365 Copilot Small Business Azure Microsoft Developer Microsoft Learn Support for AI marketplace apps Microsoft Tech Community Microsoft Marketplace Marketplace Rewards Visual Studio Careers About Microsoft Company news Privacy at Microsoft Investors Diversity and inclusion Accessibility Sustainability
English (United States)
Your Privacy Choices Opt-Out Icon Your Privacy Choices
Consumer Health Privacy Sitemap Contact Microsoft Privacy Manage cookies Terms of use Trademarks Safety & eco Recycling About our ads