Inside China’s Covert Network: How Storm-0940 Exploits 8,000 Compromised Devices for Major Global Password Attacks

TL;DR: A powerful Chinese cyber actor, Storm-0940, is leveraging CovertNetwork-1658, a network of 8,000 compromised SOHO routers, to launch sophisticated password spray attacks globally. Targeting high-value sectors like governments and defense contractors in North America and Europe, these attacks are stealthy, with minimal detection due to low-frequency login attempts. By understanding their tactics and employing robust defenses—such as multi-factor authentication, network monitoring, and upgraded credential hygiene—organizations can fortify against this advanced threat. Stay informed, proactive, and adaptive to outmaneuver this evolving cyber menace.

---

A Silent Cyberstorm: Inside the Tactics of a Nation-State’s Covert Global Offensive

Storm-0940, a sophisticated Chinese cyber actor, has unleashed one of the most ambitious password spray attacks ever recorded. Powered by CovertNetwork-1658, a vast infrastructure of 8,000 compromised devices, this operation targets critical sectors worldwide with stealth and precision. By seamlessly blending into regular network traffic, Storm-0940 evades detection, exposing the urgent need for advanced defenses against nation-state cyber threats. Microsoft Threat Intelligence recently uncovered the full scale of this operation, shedding light on the covert tactics employed by this group in their detailed report.

---

CovertNetwork-1658: The Foundation of Storm-0940’s Operations

CovertNetwork-1658 is more than just a collection of compromised routers; it’s a finely tuned network built for stealth and scale, allowing Storm-0940 to launch widespread password spray attacks with near anonymity. This infrastructure capitalizes on the vulnerabilities of small office and home office (SOHO) routers—devices often overlooked in security strategies due to their non-enterprise classification. By compromising thousands of these routers, mainly from TP-Link, Storm-0940 gains a vast network of IP addresses that effectively hide the origin of their attacks.

Why SOHO Routers?

Storm-0940’s focus on SOHO routers isn’t random. These devices present an attractive target due to several unique factors:

• High Distribution and Accessibility: SOHO routers are ubiquitous in homes and small businesses, creating a wide and varied attack surface.
• Limited Security Oversight: Unlike enterprise hardware, SOHO devices are rarely subject to regular security updates or strict IT oversight, making them easier to compromise and harder to detect once under control.
• Lower Visibility to Security Teams: Security teams often prioritize the monitoring of core servers and enterprise devices, meaning compromised SOHO routers can remain under the radar, serving as long-term assets for attackers.

How CovertNetwork-1658 Operates

CovertNetwork-1658’s architecture is designed for resilience and adaptability. According to Microsoft’s analysis, each compromised node typically remains active for around 90 days before either being replaced or dropping off the network. This continuous turnover is key to sustaining long-term operations while minimizing detection risk.

Core Mechanisms Behind CovertNetwork-1658

• Remote Code Execution (RCE) Exploits: Storm-0940 takes advantage of RCE vulnerabilities within SOHO routers, giving them remote access to deploy binaries and backdoors. This capability enables them to adjust each device’s functionality as needed, whether it’s launching attacks or serving as a proxy.
• Automated Renewal and Expansion: As some routers go offline or become flagged, new ones are seamlessly added. This rotation ensures that CovertNetwork-1658 maintains a robust pool of active IPs, continuously replenished to keep attacks operational.

Traffic Obfuscation and Network Flexibility

With CovertNetwork-1658, attackers achieve:

• Dynamic IP Rotation: By distributing attacks across thousands of IPs that change frequently, Storm-0940 evades static IP blocks and blacklists.
• Adaptive Infrastructure: If detection rates rise on specific IPs or router models, attackers can quickly adapt by swapping devices, altering user-agent strings, or adjusting attack frequency, keeping defenses off-balance.

---

CovertNetwork-1658 highlights the danger of overlooking SOHO routers in security protocols. By exploiting these devices, Storm-0940 has built a resilient and flexible network that powers their global attacks while avoiding conventional detection techniques. This strategy underscores the need for expanded security measures, not only within core IT infrastructure but also at the network’s edges where under-protected devices can become powerful tools for threat actors.

---

---

Dissecting Storm-0940’s Password Spray Attacks

Password spray attacks are a sophisticated evolution of brute-force tactics. Instead of bombarding a single account with multiple passwords, attackers try one common password across many accounts, reducing the risk of detection by triggering fewer security alerts. This low-and-slow approach bypasses typical security measures and keeps accounts from getting locked. For an attacker like Storm-0940, this tactic means covertly testing vast numbers of accounts with minimal risk of exposure.

The Anatomy of an Attack

Storm-0940’s approach is a masterclass in stealth. Unlike high-volume attacks that draw attention, Storm-0940’s campaigns blend into normal traffic patterns. Microsoft’s analysis shows that in 80% of cases, each account sees only one sign-in attempt per day—an approach that avoids raising suspicion or triggering alerts.

1. Initial Access and Preparation

Storm-0940’s groundwork begins by compromising and configuring routers within CovertNetwork-1658:

• Compromise and Control: Once Storm-0940 gains access to vulnerable routers, they install a Telnet binary and an xlogin backdoor. These tools are essential for remote command execution, enabling the attackers to control the device entirely.
• Backdoor Activation: The xlogin backdoor, which listens on TCP port 7777, creates a remote command shell. This access-controlled shell allows Storm-0940 to maintain persistent access to the router, ensuring that the device is always ready for new attack directives.
• SOCKS5 Server Deployment: To mask their true location, attackers deploy a SOCKS5 server on TCP port 11288. This server acts as a proxy, routing all malicious traffic through the compromised router, effectively obscuring the original IP address.

2. Execution of Password Spray Attacks

With CovertNetwork-1658 ready, Storm-0940 launches password spray attacks in a way that avoids detection:

• Distributed Low-Volume Attacks: By leveraging the thousands of routers in CovertNetwork-1658, Storm-0940 creates a vast network of distributed nodes, each making low-frequency sign-in attempts. This distributed nature ensures that no single IP address generates enough activity to stand out.
• Camouflaging Traffic: Every compromised router acts as a traffic shield, cloaking the origin of the attack. Additionally, by using common user-agent strings (such as Mozilla/5.0 variants), the attackers mimic legitimate user activity, blending their malicious actions into standard network traffic.

---

Storm-0940’s password spray attacks show how attackers exploit low-detection, high-distribution methods to gain access to accounts without setting off alarms. Using minimal daily attempts per account, routing through compromised routers, and camouflaging traffic, Storm-0940 has perfected a strategy that evades traditional defenses. This attack methodology emphasizes the importance of enhanced monitoring and identity security across all organizational devices and networks.

---

---

Targets of Storm-0940’s Global Campaign

Storm-0940’s reach extends across a range of high-stakes sectors in North America and Europe, each representing critical infrastructures or sensitive information that, if compromised, could yield significant intelligence or influence. By targeting organizations in fields that shape global policy and defense, Storm-0940 demonstrates a strategic focus on assets with substantial geopolitical and economic impact. Their targets include:

• Government Institutions and Defense Contractors: These entities are high-priority for any nation-state actor, especially those seeking insights into defense capabilities, diplomatic strategies, or policy shifts. Accessing credentials within these institutions offers a gateway to classified data, potentially impacting national security.
• Think Tanks and Law Firms: Think tanks play a key role in advising on public policy, international relations, and security matters. Similarly, law firms, particularly those handling international cases, government contracts, or intellectual property, are rich in valuable information. By infiltrating these organizations, Storm-0940 can gain intelligence on evolving strategies, policy recommendations, and sensitive legal proceedings.
• Non-Governmental Organizations (NGOs): NGOs focused on global issues—such as human rights, climate change, or international aid—are often involved in advocacy or direct action that affects global politics. Accessing these organizations’ networks can provide insight into international pressure points and movements, potentially informing strategies that align with the threat actor’s geopolitical interests.

Speed and Coordination in Exploitation

What sets Storm-0940 apart is their rapid exploitation cycle. Microsoft’s intelligence shows that Storm-0940 has, on numerous occasions, used compromised credentials from CovertNetwork-1658 on the very day they were acquired. This quick turnaround suggests a tightly coordinated operation, where the transition from reconnaissance to active exploitation is almost seamless. Such coordination implies that:

• Real-Time Communication: There is likely real-time information sharing between the operators managing CovertNetwork-1658 and the Storm-0940 actors, allowing credentials to be deployed as soon as they are validated.
• Adaptive Attack Strategies: The speed of exploitation also means that Storm-0940 can adjust tactics dynamically, exploiting opportunities as they arise without a lag in decision-making, which makes their attacks difficult to predict or counter.

---

Storm-0940’s target selection and rapid credential turnover underscore their operational sophistication and strategic focus. By homing in on entities central to policy, defense, and global issues, they maximize the intelligence value of each breach. Their close coordination and quick exploitation of credentials emphasize the importance of immediate incident response and robust monitoring to counteract the high-speed, high-stakes nature of these attacks.

---

---

The Technical Underpinnings and Indicators

Effectively defending against Storm-0940 hinges on recognizing the subtle technical indicators that characterize their attacks. One of the primary methods they use to evade detection is by mimicking legitimate web traffic. By carefully selecting user agent strings that resemble common browsers, they make their login attempts appear typical, seamlessly blending into standard network activity.

User Agent Strings and Stealth Techniques

In Storm-0940’s password spray campaigns, specific user agent strings have been identified that mimic legitimate web clients. These strings include:

• Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko: This user agent mimics an older Internet Explorer configuration commonly found on enterprise networks, making it less likely to stand out in environments where legacy software is still in use.
• Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36: This string resembles a typical Chrome browser setup, one of the most widely used browsers. The inclusion of WebKit and Safari elements further reinforces its legitimacy.

These seemingly benign identifiers allow malicious login attempts to slip past defenses that rely on recognizing unusual traffic patterns. By deploying multiple, randomized user agents across thousands of login attempts, Storm-0940 reduces the likelihood of raising alarms, creating a deceptive normalcy.

Evasion Through Traffic Simulation

In addition to user agent manipulation, Storm-0940 uses these evasion tactics to keep detection tools off-balance:

• Diverse IP Usage: By leveraging thousands of compromised IP addresses from CovertNetwork-1658, each attempt originates from a different source, mimicking the distributed logins expected in global organizations.
• Low-Frequency Attempts: By keeping login attempts to a minimum per account per day, Storm-0940 stays under the threshold that would trigger account lockouts or suspicious activity alerts.

---

Storm-0940’s technical sophistication lies in their meticulous traffic camouflage. By mirroring legitimate browser configurations and spreading attacks across varied IPs, they bypass traditional detection mechanisms. Organizations need advanced behavioral analysis and anomaly detection capabilities to identify and counteract these nuanced, evasive tactics.

---

---

Recommendations for Robust Defense

To counter sophisticated threats like Storm-0940, organizations need a multi-layered cybersecurity approach that combines proactive user education, advanced security tools, and rigorous monitoring. Here’s what experts recommend for staying a step ahead:

1. Strengthen Credential Hygiene

• Enforce Strong, Unique Passwords: Require complex, unique passwords across all accounts, avoiding common patterns or easily guessable terms. Educate users on password security and encourage the use of password managers to reduce reuse.
• Adopt Passwordless Authentication: Implement passwordless solutions such as Windows Hello, FIDO keys, or biometrics. These methods reduce the dependency on passwords, making it much harder for attackers to gain access through credential-based attacks.

2. Enforce Multi-Factor Authentication (MFA) Universally

• MFA on All Accounts: Ensure MFA is applied consistently across every account, with no exceptions for certain users or services. For maximum security, enforce MFA with methods that cannot be easily bypassed, such as biometrics or app-based authentication.
• Expand MFA to Critical Access Points: Extend MFA to cover Remote Desktop Protocol (RDP), VPNs, and other remote access channels to mitigate the risk from password spray and brute-force attacks. For sensitive or high-privilege accounts, consider adaptive MFA that adjusts based on risk factors like device location or unusual login times.

3. Limit and Phase Out Legacy Authentication

• Disable Legacy Protocols: Legacy authentication protocols (such as IMAP, POP, and SMTP) do not support MFA, making them prime targets for password spray attacks. Disable these protocols wherever possible, especially in cloud environments, to reduce exposure to attacks that bypass MFA.
• Monitor for Legacy Logins: Set up alerts for any attempts to use legacy authentication, allowing quick response to any attempts to circumvent modern authentication protections.

4. Monitor and Detect Anomalous Behavior

• Leverage Advanced Threat Detection Tools: Utilize tools like Microsoft Defender for Cloud Apps and Azure Sentinel to detect and respond to suspicious activity, such as unfamiliar sign-ins, location-based anomalies, or irregular login patterns.
• Deploy Hunting Queries for Threat Intelligence: To stay proactive, run custom hunting queries that identify user behavior associated with Storm-0940, such as specific IP addresses, login patterns, and device indicators flagged in identity logs. Proactively reviewing these indicators can reveal threats early, giving teams a chance to mitigate them before full compromise.

5. Harden Network Infrastructure and Device Security

• Audit and Patch SOHO Routers: Regularly review and update firmware on all SOHO routers, particularly those within the organization’s perimeter. Enable automatic updates where possible and monitor for any signs of tampering, especially for routers from high-risk manufacturers.
• Implement Network Segmentation and Firewall Rules: Use segmentation to isolate high-risk or critical systems, reducing the blast radius of a potential breach. Set strict firewall rules to control incoming and outgoing traffic, especially on ports like TCP 7777 and TCP 11288, which may be targeted in similar attacks.

---

An effective defense against advanced threats like Storm-0940 requires a blend of secure authentication practices, thorough infrastructure hardening, and proactive monitoring for early detection. Organizations that adopt these practices can better detect and block attackers before they gain a foothold, building a strong defense posture against even the most sophisticated cyber adversaries.

---

---

The Bigger Picture: What Does This Mean for Cyber Defense?

Storm-0940’s reliance on CovertNetwork-1658 exposes the broader cybersecurity challenge of defending against state-sponsored operations that utilize covert, distributed networks. The widespread use of SOHO routers in such attacks highlights a critical vulnerability: organizations often overlook peripheral devices in their security posture. These under-protected devices can become conduits for large-scale intrusions when exploited en masse.

The scale and rapid execution of Storm-0940’s operations underscore the need for a zero-trust approach to network security. The principle of never assuming safety and continuously verifying the trustworthiness of all connections is pivotal in minimizing the risk of unauthorized access.

---

FAQs on Storm-0940 and CovertNetwork-1658

What makes Storm-0940’s password spray attacks different from traditional brute-force methods?

Storm-0940’s password spray attacks differ from traditional brute-force methods in that they take a “low-and-slow” approach. Instead of repeatedly attempting multiple passwords on a single account, which often triggers account lockouts and alerts, password spray attacks use one common password across many accounts, spreading login attempts over a large network. This method significantly reduces detection chances, as it blends into typical network activity and avoids locking accounts.

Why are SOHO routers particularly vulnerable to being part of CovertNetwork-1658?

SOHO routers are especially vulnerable because they are often used in small offices and homes, where security standards may not be as rigorous as in corporate environments. These routers typically lack regular security updates and monitoring, making them easy targets for compromise. By exploiting these devices, Storm-0940 gains access to thousands of IPs, creating a massive covert network that can launch attacks from distributed, low-profile sources.

How does Storm-0940’s CovertNetwork-1658 infrastructure support its stealth capabilities?

CovertNetwork-1658 enhances Storm-0940’s stealth by providing a constantly rotating network of compromised IP addresses, achieved through thousands of compromised SOHO routers. This distributed network enables attacks from varied, unpredictable sources, making it challenging for security teams to trace back activities to a single origin. With each router acting as a unique IP node, Storm-0940 can bypass static IP blocks and adapt its approach to avoid detection.

What role do user agent strings play in evading detection during attacks?

User agent strings are critical for Storm-0940’s evasion strategy. By carefully selecting and modifying user agent strings to resemble legitimate browsers (such as Internet Explorer or Chrome), Storm-0940 disguises its login attempts, making them look like typical user traffic. These benign identifiers allow malicious logins to blend in with normal activity, making it harder for detection systems that rely on unusual traffic patterns to identify suspicious behavior.

How quickly does Storm-0940 exploit credentials once they are obtained?

Storm-0940 has demonstrated a rapid exploitation cycle, often using compromised credentials from CovertNetwork-1658 on the same day they are obtained. This quick turnover highlights a highly coordinated operation, where compromised credentials are immediately validated and deployed. Real-time communication between network operators and attackers facilitates this speed, allowing for swift transitions from reconnaissance to active exploitation.

What proactive measures can organizations take to detect and block Storm-0940’s tactics?

Organizations can implement several measures to defend against tactics used by Storm-0940:

• Enforce Multi-Factor Authentication (MFA): Adding an additional layer of verification can block unauthorized access, even if passwords are compromised.
• Deploy Advanced Threat Detection: Solutions like Microsoft Defender and Sentinel can detect irregular sign-ins, abnormal IP addresses, and traffic anomalies associated with password spray attacks.
• Disable Legacy Authentication: Legacy protocols that do not support MFA can be easily exploited, so disabling them reduces vulnerabilities.
• Enhance Network Monitoring: Regularly monitor logs for unusual traffic patterns, such as low-frequency login attempts from varied IPs, which can indicate a password spray attack.

How can companies safeguard SOHO routers within their networks?

Securing SOHO routers starts with applying regular firmware updates to patch known vulnerabilities. Organizations should also enforce strong, unique passwords on routers, disable unused services (like remote management), and implement network segmentation to isolate SOHO devices from critical systems. Monitoring router activity for unusual connections and applying firewall rules to restrict access further strengthens their defenses against attacks like those used by Storm-0940.

Why does Storm-0940 target NGOs, think tanks, and law firms?

Storm-0940 targets NGOs, think tanks, and law firms because they are rich in valuable information related to policy, legal matters, and international relations. These sectors often handle sensitive data on government policies, intellectual property, human rights, and other global issues that could benefit nation-state interests. By infiltrating these organizations, Storm-0940 gains access to insights and strategies that can inform geopolitical decisions, making them valuable targets.

What should organizations look for as indicators of a possible Storm-0940 attack?

Indicators of a possible Storm-0940 attack include:

• Increased login attempts across multiple accounts: Low-frequency, dispersed attempts with minimal failures.
• Unusual IP activity: Sign-ins from varied IPs, particularly those associated with SOHO routers or atypical regions.
• User agent anomalies: Login attempts using outdated or uncommon user agents that match those seen in Storm-0940’s activity (e.g., Internet Explorer 11 or an older Chrome version).
• Sudden surges in login traffic: Distributed login attempts, particularly during off-hours, can suggest a coordinated password spray campaign.

How does Storm-0940’s use of CovertNetwork-1658 affect traditional IP-based defenses?

Traditional IP-based defenses are rendered less effective by Storm-0940’s CovertNetwork-1658. By using a distributed network of IPs, Storm-0940 ensures that attacks originate from thousands of different addresses, making it hard to block specific IPs without affecting legitimate users. The frequent IP rotation also enables attackers to evade static blocks and blacklists, highlighting the need for behavior-based detection instead of solely relying on IP filtering.

---

Conclusion: Build Resilience and Adaptability

Storm-0940 highlights the growing sophistication of nation-state cyber threats and the limitations of traditional defenses. To stay protected, organizations must adopt multi-layered security strategies, from strong identity management to advanced threat monitoring. Building resilience through adaptive, proactive measures—such as behavioral analysis and employee vigilance—can make the difference between vulnerability and security in today’s dynamic threat landscape.

---