Hackers with government support working for Russia’s Federation Foreign Intelligence Service (SVR) have begun using Google Drive, a reputable cloud storage service, to avoid detection.
The Russian cybercriminals violate the millions of users’ faith in online storage services by leveraging them to exfiltrate data and distribute their malware and dangerous tools, making their attacks extremely difficult or even impossible to identify and prevent.
This new strategy was adopted by the malicious attacker known as APT29 (also known as Cozy Bear or Nobelium) in recent attacks that targeted Western diplomatic posts and foreign embassies globally between early May and June 2022.
“We have discovered that their two most recent campaigns leveraged Google Drive cloud storage services for the first time,” Unit 42 analysts who spotted the new trend said.
“The ubiquitous nature of Google Drive cloud storage services – combined with the trust that millions of customers worldwide have in them – make their inclusion in this APT’s malware delivery process exceptionally concerning.”
However, this is not the first time APT29 hackers have misused official online services for command-and-control and storage reasons, Mandiant discovered in an April report showing one of the group’s phishing attempts.
Mandiant noticed the cyberespionage group’s phishing attempts targeted staff members of numerous diplomatic organizations around the world, a focus consistent with current Russian geopolitical strategic aims and prior APT29 targeting, just like in the campaigns observed by Unit 42.
High-profile targets of APT29
The Russian Foreign Intelligence Service (SVR) hacking unit known as APT29, which has also been tracked as Cozy Bear, The Dukes, and Cloaked Ursa, was responsible for the 2020 SolarWinds supply-chain attack that resulted in the compromise of numerous U.S. federal agencies.
27 U.S. Attorneys’ offices were compromised during the SolarWinds global cyber spree, according to the U.S. Department of Justice, the final U.S. government to reveal this information at the end of July.
The coordination of SolarWinds’ “broad-scope cyber espionage campaign,” which resulted in the breach of numerous U.S. government entities, was officially attributed to the SVR division by the U.S. government in April 2021.
Following the SolarWinds supply-chain attack, APT29 has since entered the networks of other businesses employing stealthy malware that went years undiscovered, including a GoldMax Linux backdoor version and a new form of malware known as TrailBlazer.
Microsoft confirmed in October that the organization is also focusing on the IT supply chain, having compromised at least 14 businesses after hitting about 140 managed service providers (MSPs) and cloud service providers since May 2021.
The Brute Ratel adversarial attack simulation model has lately been seen being used by Unit 42 in attacks that are thought to be connected to the Russian SVR cyberspies.
As Unit 42’s threat analysts observed at the time, the Brute Ratel sample “was packaged in a manner consistent with known APT29 techniques and their recent campaigns, which leveraged well-known cloud storage and online collaboration applications.”
