In order to avoid discovery, state-sponsored hackers working for Russia’s Federation Foreign Intelligence Provider (SVR) have started using Google Drive, a reliable cloud storage service.
The Russian threat actors are abusing the confidence of millions of people globally by using online storage services to exfiltrate data and distribute their malware and dangerous tools, making their attacks extremely difficult or even impossible to identify and block.
This new strategy was adopted by the threat actor known as APT29 (also known as Cozy Bear or Nobelium) in recent attacks that targeted Western diplomatic posts and foreign embassies globally between early May and June 2022.
Unit 42 analysts who noticed the new pattern noted, “We have found that their two most recent ads utilised Google Drive cloud storage facilities for the first time.”
“The use of Google Drive cloud storage facilities in this APT’s malware delivery procedure is extremely troubling due to their ubiquity and the trust that millions of users worldwide place in them.”
However, this is not the first time APT29 hackers have misused legal online services for command-and-control and storage reasons, Mandiant discovered in an April report detailing one of the group’s phishing attempts.
Mandiant noticed the cyberespionage group’s phishing attempts targeted staff members of numerous diplomatic organizations throughout the world, a focus consistent with current Russian geopolitical strategic aims and prior APT29 targeting, just like in the campaigns observed by Unit 42.
High-profile targets of APT29
The Russian Foreign Intelligence Service (SVR) hacking unit known as APT29, which has also been tracked as Cozy Bear, The Dukes, and Cloaked Ursa, was responsible for the 2020 SolarWinds supply-chain attack that resulted in the compromise of numerous U.S. federal agencies.
The last American government to reveal that 27 U.S. Attorneys’ offices had been hacked as a result of the SolarWinds global hacking campaign was the U.S. Department of Justice at the end of July.
The coordination of SolarWinds’ “broad-scope cyber espionage effort,” which resulted in the breach of numerous U.S. government entities, was officially attributed to the SVR division by the U.S. government in April 2021.
Microsoft stated in October that the organization is also focusing on the IT supply chain, having compromised at least 14 businesses after hitting about 140 managed service providers (MSPs) and cloud service providers since May 2021.
The Brute Ratel adversarial attack simulation program has lately been seen being used by Unit 42 in attacks that are thought to be connected to the Russian SVR cyberspies.
The Brute Ratel sample “was packaged in a manner similar with known APT29 methods and their recent campaigns, which leveraged well-known cloud storage and online collaboration apps,” as Unit 42’s threat researchers noted at the time.
