Highlights:

  • Cloud services are being used by businesses all over the world to run day-to-day operations, especially considering the shift toward hybrid working.
  • Attackers are now wanting to use recognized cloud services such as Google Drive and Dropbox.

As part of a secret effort to steal private information from high-profile targets, a hacking and cyber-espionage campaign is abusing legitimate cloud services.

Cloud services are being used by businesses worldwide to run day-to-day operations, especially considering the shift toward hybrid working. Cloud applications offer a convenient way to work from anywhere, which has become essential for remote workers. However, it’s not just companies and employees who stand to benefit from using cloud services.

That’s exactly what hackers operating for the Advanced Persistent Threat (APT) organization Cloaked Ursa, also known as APT29, Nobelium, and Cozy Bear, are allegedly doing, claim cybersecurity researchers at Unit 42 at Palo Alto Networks.

It’s believed that the group is affiliated with the Russian Foreign Intelligence Service (SVR). SVR is responsible for several significant cyberattacks, including the US Democratic National Committee (DNC) hack, supply chain attacks against SolarWinds, and espionage campaigns against foreign governments and embassies.

They’re now wanting to use recognized cloud services such as Google Drive and Dropbox. They have already used this tactic in the attacks between May and June this year. Typically, the attacks start with phishing emails sent to targets at European embassies, often presenting as invites to meetings with ambassadors, complete with a supposed agenda attached as a PDF.

The PDF is malicious, and if it were to function as planned, it would request assistance from an attacker-controlled Dropbox account to covertly download Cobalt Strike, a penetration-testing program, to the victim’s device. However, this initial appeal fell on deaf ears earlier this year. According to academics, this was due to corporate networks’ tight rules regarding the use of third-party services.

Rather than using contact with Google Drive accounts to conceal their activity and introduce Cobalt Strike and malware payloads into target environments, the attackers adapted, sending similar phishing emails as a second bait. This strike doesn’t seem to have stopped, probably because many offices utilize Google products for regular business, making it unproductive to stop Drive.

“To achieve their goals, attackers will keep coming up with new strategies and ways to avoid discovery. Using DropBox and Google Drive is a cheap approach to use reliable applications, “According to a Unit 42 researcher who owns a well-known business technology news website.

“Simply put, that means that you can simply obtain a certain number of Google accounts for no cost and use them to host malware and gather data. You are no longer required to invest in standard C2 infrastructure, which is easily blocked.”

As part of attacks between May and June this year, they are now attempting to exploit legal cloud services, such as Google Drive and Dropbox.

Attacks start with phishing emails that pretend to be invitations to meetings with ambassadors and include a phony agenda attached as a PDF. These emails are delivered to targets at European embassies.