Storm-2755 Hijacks Payroll via AiTM Attacks
Financially motivated group Storm-2755 targets Canadian employees using AiTM session hijacking to redirect salary payments.
MITRE ATT&CK® TTPs (4)
Click any technique to view details on attack.mitre.org
Executive Summary
A financially driven threat actor tracked as Storm-2755 has been conducting targeted payroll redirection attacks against Canadian organizations. Leveraging adversary-in-the-middle (AiTM) proxies, the group hijacks authenticated sessions to bypass MFA and manipulate payroll systems.
Technical Analysis
The Storm-2755 campaign relies on AiTM infrastructure to intercept real-time communication between users and targeted web applications—particularly HR and payroll portals. Unlike traditional phishing kits that harvest credentials post-login, AiTM setups allow attackers to maintain active sessions, enabling actions like modifying direct deposit information without user awareness. According to CyberSecurity News [^1], the group leverages legitimate browser automation tools such as Puppeteer or Selenium to simulate user behavior, making detection more challenging. Once inside, they alter payment details to route salaries to external accounts under their control.
Tactics, Techniques & Procedures
Storm-2755 initiates campaigns with credential harvesting via phishing emails tailored to HR personnel. These messages often contain malicious links directing victims to AiTM proxy servers designed to mimic official login pages. Upon successful authentication by the victim, the server relays session tokens back to the attacker while maintaining an active connection to the target service. This allows modification of sensitive fields within payroll interfaces, including bank account routing numbers and recipient names. The use of headless browsers suggests attempts to evade behavioral analysis mechanisms implemented in modern authentication platforms.
Threat Actor Context
Storm-2755 is described as a financially motivated cybercriminal collective primarily focused on payroll manipulation targeting Canadian businesses [^1]. While attribution remains uncertain, operational security practices suggest moderate sophistication and possible prior experience with credential-based fraud. No confirmed nation-state ties have been reported.
Mitigations & Recommendations
To defend against AiTM-enabled payroll theft:
- Implement step-up authentication for financial transactions, especially those altering banking details.
- Monitor and restrict access to HR/payroll systems based on job role and necessity.
- Deploy network monitoring solutions capable of identifying TLS interception patterns indicative of proxy usage.
- Enforce FIDO2/WebAuthn wherever possible, as hardware-backed keys resist AiTM interception.
- Conduct regular training for HR staff regarding social engineering red flags.
Additionally, organizations should review recent changes to employee banking information and validate them manually if executed outside standard procedures.
Stay Updated
Get the latest cybersecurity news delivered to your inbox.
