Into the Lion’s Den: A Deep Dive into Storm-0539

Waymon Ho | Emiel Haeghebaert | Alison Ali

Let’s go back to a different crime before the era of ransomware! Storm-0539, also known as Atlas Lion, is a cyber-criminal group focused on gift card theft. Storm-0539 has been active since at least 2021 and continues to be a very persistent threat actor in 2024. Learn from Microsoft Threat Intelligence (MSTIC) analysts on how this threat actor stayed relevant throughout the years, adapting to the ever-changing criminal landscape. Discover how the actor operates against its targets, learn how to hunt for and defend against them, and take a deep dive with us into how they use several interesting techniques to maintain their edge.

In this talk, we will discuss several aspects of Storm-0539 derived from real world engagements, which include their origins, how they operate, their TTPs across the Cyber Kill Chain, and the interesting ways they abuse cloud and identity infrastructure to achieve their end goals. This talk also aims to arm viewers with information on how to identify and protect against this threat actor.