Skip to main content
Skip to main content
Microsoft Security

Defending against persistent attackers: What we’ve learned

  • Microsoft Secure Blog Staff

Part of what we do at the Microsoft Malware Protection Center involves keeping tabs on known activity groups. This is some of the most interesting and intriguing work we do.

One particularly aggressive and persistent group we track is known within Microsoft by the code-name “STRONTIUM” (following our internal practice of assigning chemical element names to such groups).

Whereas most cyber-attack groups are ultimately profit-oriented, STRONTIUM mainly seeks sensitive information. Its primary targets include government bodies, diplomatic institutions, and military forces. The group has also been known to target journalists, political advisors, and organizations associated with political activism. With such lofty targets, you might expect the group to be highly sophisticated, and it is.

STRONTIUM primarily attempts to ensnare individuals using spear phishing tactics through email or social networking channels. The idea is to dupe people into giving up their login credentials so the group can perform reconnaissance on a target organization. Their lure messages are typically tied to current events such as an upcoming conference or real-world news, and STRONTIUM’s email senders are usually associated with well-known email providers, using plausible names and titles designed to give the messages credibility.

The ultimate goal of this reconnaissance phase is to compile a list of high-value individuals who have information or access that STRONTIUM wants. With this list at hand, the group moves to the next phase of operations — installing malware on the high-value targets’ computers and thereby gaining access to the institution’s network. Depending on the specific attack used, they might send a message with a link that will launch a drive-by download when clicked, or a malicious attachment such as a document file containing an exploit.

It is not yet clear whether the group researches vulnerabilities and develops the exploits themselves, or purchases them on the black market, but Microsoft researchers have observed STRONTIUM moving swiftly to take advantage of newly disclosed vulnerabilities. They are also known for zero-day exploits targeting vulnerabilities where the software vendor has not yet released a security update. STRONTIUM also targets older vulnerabilities that simply haven’t been patched by the organization, and attacks involving non-Windows computers are a concern as well.

Considering STRONTIUM’s broad range of technical capabilities and its determination to keep up an attack for months or years until it succeeds, the group represents a significant threat that is difficult to defend against. Nevertheless, there are steps an organization can take to significantly decrease the probability of a successful attack:

  • Deploy vendor security updates quickly after they are released. STRONTIUM looks for out-of-date software installations inside target institutions. Keeping software current denies the group this avenue of infiltration.
  • Take advantage of the latest mitigation technologies. Recent versions of Windows (most notably Windows 10) and other software include critical mitigations that can render many of STRONTIUM’s exploits ineffective.
  • Enforce segregation of privileges and apply all possible safety measures to protect Admin accounts. STRONTIUM relies on pass-the-hash techniques and elevation of privileges to successfully move laterally across networks.
  • Conduct enterprise software security awareness training. STRONTIUM heavily relies on social engineering to entice individuals into clicking links to malware. Security training can raise awareness around this attack vector.
  • Institute multi-factor authentication. As STRONTIUM extensively uses credential-stealing spear phishing attacks, multi-factor authentication can be an effective tool to prevent unauthorized access even if credentials are stolen.
  • Prepare your network to be forensically ready. A forensically ready network that records authentications, password changes, and other significant network events can help to quickly identify affected systems.
  • Keep personnel and personal data private. STRONTIUM uses open-source intelligence to obtain its initial lists of victims, which might include names and email addresses, but can expand into employment information and other items of interest. Make sure your email is kept confidential and privacy settings on social media don’t disclose sensitive information publicly. These are all pieces of information STRONTIUM can use to devise a realistic attack.

For a deeper look at the STRONTIUM adversary, including technical information that can help your IT department keep your organization safe, see the latest Microsoft Security Intelligence Report here.

To learn more about how Microsoft helps protect your security and privacy in the cloud, visit Trusted Cloud.