{"id":76100,"date":"2015-11-16T14:02:11","date_gmt":"2015-11-16T22:02:11","guid":{"rendered":"https:\/\/cloudblogs.microsoft.com\/microsoftsecure\/?p=76100"},"modified":"2023-05-15T23:06:06","modified_gmt":"2023-05-16T06:06:06","slug":"microsoft-security-intelligence-report-strontium","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2015\/11\/16\/microsoft-security-intelligence-report-strontium\/","title":{"rendered":"Microsoft Security Intelligence Report: Strontium"},"content":{"rendered":"<div class=\"ExternalClass0BC742007D3C4FDCAFA8CA5E64981A9F\">\n<p>The <a href=\"http:\/\/www.microsoft.com\/security\/sir\/default.aspx\">Microsoft Security Intelligence Report<\/a> (SIR) provides a regular snapshot of the current threat landscape, using data from more than 600 million computers worldwide.<\/p>\n<p>The latest report (SIRv19) was released this week and includes a detailed analysis of the actor group STRONTIUM \u2013 a group that uses zero-day exploits to collect the sensitive information of high-value targets in government and political organizations.<\/p>\n<p>Since 2007, the group has targeted:<\/p>\n<ul>\n<li>Government bodies<\/li>\n<li>Diplomatic institutions<\/li>\n<li>Military forces and installations<\/li>\n<li>Journalists<\/li>\n<li>Political advisors and organizations<\/li>\n<\/ul>\n<h3>Attack vectors: How they manage to get in<\/h3>\n<p>A STRONTIUM actor attack usually has two components:<\/p>\n<ol>\n<li>A spear phishing attempt that targets specific individuals within an organization. This phishing attempt is used to gather information about potential high-value targets and steal their login credentials.<\/li>\n<li>A second phase that attempts to download malware using software <a href=\"https:\/\/www.microsoft.com\/security\/portal\/mmpc\/shared\/glossary.aspx#vulnerability\">vulnerabilities <\/a>to further infect the target computers and spread through networks.<\/li>\n<\/ol>\n<p><strong>Spear phishing<\/strong><\/p>\n<p>We estimate the STRONTIUM actor targeted several thousand people with spear phishing attacks during the first half of 2015. The goal of the spam email attack is to get a list of high-value individuals with access to sensitive information.<\/p>\n<p>The phishing email usually attempts to trick the target into believing there has been an unauthorized user accessing their account.<\/p>\n<p>The email includes a link to a website under the attacker\u2019s control that prompts the victim to change their password. If the attack is successful, the stolen credentials can be used to access the victim\u2019s email account.<\/p>\n<p>Visiting the malicious website can also send sensitive information to the attacker, even when no credentials are entered. The sensitive information can include details of the victim\u2019s PC -including its IP address, browser and operating system versions, and any browser add-ons installed. This information can be used to target the individual with software exploits.<\/p>\n<p><strong>Malware downloads<\/strong><\/p>\n<p>The second phase of a STRONTIUM actor attack is to install malware on the compromised machine in an attempt to gain access to other machines on the network.<\/p>\n<p>Usually, the malware is installed through a malicious link in an email. However, we have also seen social networks used to spread malicious links. The highly-targeted emails use current events, such as an upcoming conference, to entice the victim to click a link for \u201cadditional information\u201d. The email is sent from well-known email providers and sender names that are designed to look credible.<\/p>\n<p>When the link is clicked, a drive-by-download attack is launched using software vulnerabilities. The attacks often use <a href=\"https:\/\/www.microsoft.com\/security\/portal\/mmpc\/shared\/glossary.aspx#exploit\">zero-day exploits<\/a> that target vulnerabilities for which the affected software vendor has not yet released a security update.<\/p>\n<p>If the attack is successful the attacker tries to compromise other machines within the targeted organization to gather more sensitive information.<\/p>\n<p>See the <a href=\"http:\/\/www.microsoft.com\/security\/sir\/default.aspx\">Microsoft Security Intelligence Report (SIRv19)<\/a> for more technical details on the methods used by STRONTIUM.<\/p>\n<h3>Preventing attacks<\/h3>\n<p>You can reduce the likelihood of a successful compromise in a number of ways. Use an up-to-date real-time security product, such as <a href=\"https:\/\/www.microsoft.com\/security\/pc-security\/windows-defender.aspx\">Windows Defender for Windows 10<\/a>.<\/p>\n<p>In an enterprise environment you should also:<\/p>\n<ul>\n<li>Keep all your software up-to-date and deploy security updates as soon as possible<\/li>\n<li>Enforce segregation of privileges on user accounts and apply all possible safety measures to protect administrator accounts from compromise<\/li>\n<li>Conduct enterprise software security awareness training, and build <a href=\"http:\/\/www.microsoft.com\/security\/portal\/mmpc\/shared\/prevention.aspx\">awareness about malware infection prevention<\/a><\/li>\n<li>Institute multi-factor authentication<\/li>\n<\/ul>\n<p>The<a href=\"http:\/\/www.microsoft.com\/security\/sir\/default.aspx\">Microsoft Security Intelligence Report (SIRv19)<\/a> has more advice and detailed analysis of STRONTIUM, as well as other information about malware and unwanted software.<\/p>\n<p>The Microsoft Malware Protection Center\u2019s <a href=\"https:\/\/www.microsoft.com\/security\/portal\/enterprise\/threatreports.aspx\">November Threat Intelligence Report<\/a> also includes detailed information, resources, and advice to mitigate the risk of advanced persistent threats (APTs).<\/p>\n<\/div>\n<hr \/>\n<h4><strong>Talk to us<\/strong><\/h4>\n<p>Questions, concerns, or insights on this story? Join discussions at the <a href=\"https:\/\/answers.microsoft.com\/en-us\/protect\" target=\"_blank\" rel=\"noopener\">Microsoft community<\/a> and <a href=\"https:\/\/www.microsoft.com\/en-us\/wdsi\" target=\"_blank\" rel=\"noopener\">Windows Defender Security Intelligence<\/a>.<\/p>\n<p>Follow us on Twitter <a href=\"https:\/\/twitter.com\/WDSecurity\" target=\"_blank\" rel=\"noopener\">@WDSecurity.<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Microsoft Security Intelligence Report (SIR) provides a regular snapshot of the current threat landscape, using data from more than 600 million computers worldwide. The latest report (SIRv19) was released this week and includes a detailed analysis of the actor group STRONTIUM \u2013 a group that uses zero-day exploits to collect the sensitive information of [&hellip;]<\/p>\n","protected":false},"author":61,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ep_exclude_from_search":false,"_classifai_error":"","footnotes":""},"content-type":[3663],"topic":[3687],"products":[],"threat-intelligence":[3728,3738],"tags":[3829],"coauthors":[1968],"class_list":["post-76100","post","type-post","status-publish","format-standard","hentry","content-type-research","topic-threat-intelligence","threat-intelligence-business-email-compromise","threat-intelligence-threat-actors","tag-forest-blizzard-strontium"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Microsoft Security Intelligence Report: Strontium | Microsoft Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2015\/11\/16\/microsoft-security-intelligence-report-strontium\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Microsoft Security Intelligence Report: Strontium | Microsoft Security Blog\" \/>\n<meta property=\"og:description\" content=\"The Microsoft Security Intelligence Report (SIR) provides a regular snapshot of the current threat landscape, using data from more than 600 million computers worldwide. The latest report (SIRv19) was released this week and includes a detailed analysis of the actor group STRONTIUM \u2013 a group that uses zero-day exploits to collect the sensitive information of [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2015\/11\/16\/microsoft-security-intelligence-report-strontium\/\" \/>\n<meta property=\"og:site_name\" content=\"Microsoft Security Blog\" \/>\n<meta property=\"article:published_time\" content=\"2015-11-16T22:02:11+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-05-16T06:06:06+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-microsoft_logo_element.png\" \/>\n\t<meta property=\"og:image:width\" content=\"512\" \/>\n\t<meta property=\"og:image:height\" content=\"512\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Microsoft Defender Security Research Team\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Microsoft Defender Security Research Team\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2015\/11\/16\/microsoft-security-intelligence-report-strontium\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2015\/11\/16\/microsoft-security-intelligence-report-strontium\/\"},\"author\":[{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/windows-defender-research\/\",\"@type\":\"Person\",\"@name\":\"Microsoft Defender Security Research Team\"}],\"headline\":\"Microsoft Security Intelligence Report: Strontium\",\"datePublished\":\"2015-11-16T22:02:11+00:00\",\"dateModified\":\"2023-05-16T06:06:06+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2015\/11\/16\/microsoft-security-intelligence-report-strontium\/\"},\"wordCount\":626,\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"keywords\":[\"Forest Blizzard (STRONTIUM)\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2015\/11\/16\/microsoft-security-intelligence-report-strontium\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2015\/11\/16\/microsoft-security-intelligence-report-strontium\/\",\"name\":\"Microsoft Security Intelligence Report: Strontium | Microsoft Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\"},\"datePublished\":\"2015-11-16T22:02:11+00:00\",\"dateModified\":\"2023-05-16T06:06:06+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2015\/11\/16\/microsoft-security-intelligence-report-strontium\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2015\/11\/16\/microsoft-security-intelligence-report-strontium\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2015\/11\/16\/microsoft-security-intelligence-report-strontium\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Microsoft Security Intelligence Report: Strontium\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"name\":\"Microsoft Security Blog\",\"description\":\"Expert coverage of cybersecurity topics\",\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\",\"name\":\"Microsoft Security Blog\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"width\":512,\"height\":512,\"caption\":\"Microsoft Security Blog\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Microsoft Security Intelligence Report: Strontium | Microsoft Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2015\/11\/16\/microsoft-security-intelligence-report-strontium\/","og_locale":"en_US","og_type":"article","og_title":"Microsoft Security Intelligence Report: Strontium | Microsoft Security Blog","og_description":"The Microsoft Security Intelligence Report (SIR) provides a regular snapshot of the current threat landscape, using data from more than 600 million computers worldwide. The latest report (SIRv19) was released this week and includes a detailed analysis of the actor group STRONTIUM \u2013 a group that uses zero-day exploits to collect the sensitive information of [&hellip;]","og_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2015\/11\/16\/microsoft-security-intelligence-report-strontium\/","og_site_name":"Microsoft Security Blog","article_published_time":"2015-11-16T22:02:11+00:00","article_modified_time":"2023-05-16T06:06:06+00:00","og_image":[{"width":512,"height":512,"url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-microsoft_logo_element.png","type":"image\/png"}],"author":"Microsoft Defender Security Research Team","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Microsoft Defender Security Research Team","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2015\/11\/16\/microsoft-security-intelligence-report-strontium\/#article","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2015\/11\/16\/microsoft-security-intelligence-report-strontium\/"},"author":[{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/windows-defender-research\/","@type":"Person","@name":"Microsoft Defender Security Research Team"}],"headline":"Microsoft Security Intelligence Report: Strontium","datePublished":"2015-11-16T22:02:11+00:00","dateModified":"2023-05-16T06:06:06+00:00","mainEntityOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2015\/11\/16\/microsoft-security-intelligence-report-strontium\/"},"wordCount":626,"publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"keywords":["Forest Blizzard (STRONTIUM)"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2015\/11\/16\/microsoft-security-intelligence-report-strontium\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2015\/11\/16\/microsoft-security-intelligence-report-strontium\/","name":"Microsoft Security Intelligence Report: Strontium | Microsoft Security Blog","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website"},"datePublished":"2015-11-16T22:02:11+00:00","dateModified":"2023-05-16T06:06:06+00:00","breadcrumb":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2015\/11\/16\/microsoft-security-intelligence-report-strontium\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.microsoft.com\/en-us\/security\/blog\/2015\/11\/16\/microsoft-security-intelligence-report-strontium\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2015\/11\/16\/microsoft-security-intelligence-report-strontium\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/"},{"@type":"ListItem","position":2,"name":"Microsoft Security Intelligence Report: Strontium"}]},{"@type":"WebSite","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","name":"Microsoft Security Blog","description":"Expert coverage of cybersecurity topics","publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization","name":"Microsoft Security Blog","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","width":512,"height":512,"caption":"Microsoft Security Blog"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/"}}]}},"msxcm_display_generated_audio":false,"distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"Microsoft Security Blog","distributor_original_site_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog","push-errors":false,"_links":{"self":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/76100"}],"collection":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/users\/61"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/comments?post=76100"}],"version-history":[{"count":0,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/76100\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media?parent=76100"}],"wp:term":[{"taxonomy":"content-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/content-type?post=76100"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/topic?post=76100"},{"taxonomy":"products","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/products?post=76100"},{"taxonomy":"threat-intelligence","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/threat-intelligence?post=76100"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/tags?post=76100"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/coauthors?post=76100"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}