State-sponsored hackers working for Russia’s Federation Foreign Intelligence Service (SVR) have started using Google Drive, a reliable cloud storage service, in order to avoid detection. These Russian threat actors are abusing the trust of millions of people worldwide by using online storage services to exfiltrate data and distribute their malware and dangerous tools, making their attacks extremely difficult to identify. This new strategy was adopted by the threat group known as APT29 (also known as Cozy Bear or Nobelium) in recent attacks that targeted Western diplomatic missions and foreign embassies between May and June 2022. “We have discovered that their two most recent campaigns leveraged Google Drive cloud storage services for the first time. The ubiquitous nature of Google Drive cloud storage services…make their inclusion in this APT’s malware delivery process exceptionally concerning,” stated Unit 42 analysts.
The Russian APT29 threat group, which has also been tracked as Cozy Bear, The Dukes, and Cloaked Ursa, was responsible for the 2020 SolarWinds supply-chain attack that resulted in the compromise of numerous U.S. federal agencies. However, this is not the first time they have abused legitimate online services for command-and-control (C2). Mandiant noticed the cyberespionage group’s phishing attempts targeted staff members of numerous diplomatic organizations worldwide; this focus is consistent with the current Russian geopolitical strategy.
At the end of July, The U.S. Department of Justice revealed that 27 U.S. Attorneys’ offices were hacked as a result of the SolarWinds global hacking campaign. The coordination of SolarWinds’ “broad-scope cyber espionage campaign,” which resulted in the breach of numerous U.S. government entities, was officially attributed to the SVR division by the U.S. government in April 2021.
Following the SolarWinds supply-chain attack, APT29 entered the networks of other companies employing stealthy malware that went unnoticed for years, including a GoldMax Linux backdoor variant and new malware dubbed TrailBlazer. According to Microsoft, APT29 is also focusing on the IT supply chain and has compromised at least 14 businesses after hitting about 140 managed service providers (MSPs) and cloud service providers since May 2021. The Brute Ratel malicious attack simulation program was identified by Unit 42 in attacks suspected to be connected to Russian SVR cyberspies. The Brute Ratel sample “was packaged in a manner consistent with known APT29 techniques and their recent campaigns, which leveraged well-known cloud storage and online collaboration applications,” stated Unit 42’s threat researchers.