What is a zero-day vulnerability?

A zero-day vulnerability is a flaw in software, firmware, or hardware that is unknown to the vendor or the public. Because there is no patch available, attackers can exploit it to compromise systems before defenders can protect them.

Who is the threat actor Storm-1175?

Storm-1175 is a new or emerging threat actor that has been linked to Chinese state interests. The 'Storm' designation is used by Microsoft for unclassified threat groups. This actor is notable for its speed and its use of both zero-day and N-day vulnerabilities to deploy Medusa ransomware.

What makes these attacks 'high-velocity'?

The attacks are described as 'high-velocity' because the threat actor moves from initial breach to final payload deployment (ransomware) in an extremely short amount of time, often just hours. This is achieved through automated scanning and the use of efficient, pre-planned post-exploitation techniques.

Why would a nation-state actor use ransomware?

Nation-state actors may use ransomware for several reasons. It can be a way to generate revenue for the state, cause disruption and chaos in a target country, or act as a smokescreen to distract from the primary goal of espionage and data theft. It also provides a degree of plausible deniability.

China-linked Storm-1175 exploits zero-days to rapidly deploy Medusa ransomware

An emerging threat actor blends speed and sophistication

A newly identified threat actor, designated Storm-1175 and linked to Chinese state interests, is orchestrating high-velocity ransomware attacks by weaponizing a potent mix of zero-day and N-day vulnerabilities. Security researchers have observed the group compromising internet-facing systems with remarkable speed to deploy the Medusa ransomware, signaling a concerning evolution in tactics where espionage-grade tools are used for disruptive, financially motivated campaigns.

The group’s proficiency in identifying and exploiting weaknesses in network perimeters allows them to gain initial access and execute their entire attack chain in a compressed timeframe. This operational tempo presents a significant challenge for defenders, drastically shortening the window between detection and widespread network encryption.

Background: Who is Storm-1175?

The “Storm” designation is used by Microsoft to track new or emerging threat clusters whose origin or affiliation is not yet definitively established. The attribution of Storm-1175 to China suggests that its tactics, techniques, and procedures (TTPs) align with those of known Advanced Persistent Threat (APT) groups operating in support of the Chinese state. Historically, these groups, such as APT41 (Barium) and Volt Typhoon (Bronze Silhouette), have demonstrated exceptional skill in exploiting vulnerabilities in perimeter devices like VPNs, firewalls, and email gateways (Source: CISA).

The payload of choice, Medusa ransomware, has been active since 2023. It operates a Ransomware-as-a-Service (RaaS) model and is known for its double-extortion tactics. After encrypting a victim’s files, the operators threaten to publish stolen data on their public leak site if the ransom is not paid. The use of Medusa by a state-linked actor blurs the lines between espionage and cybercrime, a tactic sometimes used to generate revenue, create plausible deniability, or simply cause chaos as a primary objective.

Technical analysis of the attack chain

The effectiveness of Storm-1175’s campaigns hinges on their ability to rapidly chain together vulnerabilities for initial access and execute post-compromise activities before defenders can react. The attack pattern follows a logical, albeit accelerated, progression.

1. Reconnaissance and weaponization

Storm-1175 begins by conducting broad, automated scanning of the internet to identify vulnerable systems. Their focus is on high-value perimeter appliances and software that, if compromised, provide a direct gateway into a corporate network. This includes:

VPN Concentrators (e.g., Ivanti Connect Secure, Fortinet FortiGate)
Email Security Gateways (e.g., Barracuda ESG)
Web Servers (e.g., Microsoft Exchange Server)

The group leverages both N-day vulnerabilities—flaws for which a patch is available but not yet applied—and zero-day vulnerabilities, which are unknown to the vendor and have no patch. This dual approach maximizes their pool of potential targets. While security teams scramble to patch known issues, Storm-1175 can use a zero-day to bypass even the most diligent patch management programs.

2. Initial access and foothold

Upon identifying a vulnerable target, the actor exploits the flaw to gain initial access, often achieving remote code execution (RCE) on the device. This initial foothold is typically stealthy, using techniques like web shells or modifying legitimate system configurations to establish persistence. This method is consistent with past campaigns attributed to Chinese APTs, such as the Hafnium group's exploitation of Microsoft Exchange zero-days in 2021 (Source: Microsoft Security Response Center).

3. Lateral movement and deployment

Once inside the network, the group moves with speed. They use living-off-the-land binaries (LOLBins) and legitimate administrative tools like PowerShell, PsExec, and Windows Management Instrumentation (WMI) to move laterally across the network. This technique helps them evade detection by blending in with normal administrative activity. After escalating privileges to a domain administrator, they are positioned to deploy the Medusa ransomware.

The ransomware is pushed out to as many endpoints and servers as possible through automated scripts. In some cases, operators first exfiltrate sensitive data to a command-and-control (C2) server, setting the stage for their double-extortion demand. The entire process from initial breach to ransomware deployment can occur within hours, underscoring the “high-velocity” nature of the attacks.

Impact assessment: A widespread and severe threat

The threat posed by Storm-1175 is severe and affects a wide range of organizations. Any entity with an internet-facing presence that uses common enterprise-grade network appliances is a potential target. Given the typical targeting patterns of China-linked actors, industries such as government, defense, technology, telecommunications, and critical infrastructure should consider themselves at elevated risk.

The potential impacts include:

Operational Disruption: Widespread encryption of systems can halt business operations entirely, leading to significant downtime and revenue loss.
Financial Costs: These extend beyond a potential ransom payment to include incident response, system restoration, regulatory fines, and legal fees.
Data Breach and Extortion: The theft and threatened release of sensitive corporate or customer data can cause immense reputational damage and create long-term liabilities. Strong data encryption at rest and in transit is a critical layer of defense against the exfiltration phase.
Espionage as a Motive: In a state-sponsored attack, the ransomware could be a smokescreen for the primary objective: stealing intellectual property or strategic intelligence. The financial demand may simply be a distraction from the true damage done.

How to protect yourself

Defending against a fast-moving threat actor that uses zero-day vulnerabilities requires a multi-layered, proactive security posture. Waiting to react is not a viable strategy.

Aggressive Patch Management: The use of N-day vulnerabilities highlights the importance of timely patching. Prioritize updates for all internet-facing systems, including VPNs, firewalls, and application servers. Establish a process for emergency, out-of-band patching when critical vulnerabilities are announced.
Harden the Perimeter: Reduce your attack surface by disabling unnecessary services and ports on all internet-facing devices. Enforce strong access controls and implement multi-factor authentication (MFA) for all remote access, especially for administrative accounts. Using a trusted VPN service with modern protocols can add a layer of security.
Implement Network Segmentation: Segment your network to prevent attackers from moving laterally. If a perimeter device is compromised, segmentation can contain the breach and prevent the threat actor from reaching critical internal assets like domain controllers and databases.
Deploy Advanced Threat Detection: Use Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR) solutions. These tools can identify suspicious behavior associated with post-compromise activities, such as the use of LOLBins or attempts to disable security software, providing an opportunity to intervene before ransomware is deployed.
Maintain Immutable Backups: Ensure you have a comprehensive backup and recovery strategy. Follow the 3-2-1 rule (three copies of data, on two different media, with one off-site). Test your recovery process regularly to confirm you can restore operations quickly after an attack.
Develop and Test an Incident Response Plan: Have a clear plan for what to do when a breach occurs. This plan should define roles, communication strategies, and technical steps for containment and eradication. Conduct tabletop exercises to ensure your team is prepared to execute the plan under pressure.

The emergence of Storm-1175 demonstrates the continuing convergence of nation-state capabilities and cybercriminal tactics. Their speed and reliance on high-impact vulnerabilities make them a formidable adversary. Organizations must assume they are a target and build defenses capable of withstanding these rapid, sophisticated attacks.