The Russian APT29 threat group, which has also been tracked as Cozy Bear, The Dukes, and Cloaked Ursa, was responsible for the 2020 SolarWinds supply-chain attack that resulted in the compromise of numerous U.S. federal agencies. However, this is not the first time they have abused legitimate online services for command-and-control (C2). Mandiant noticed the cyberespionage group’s phishing attempts targeted staff members of numerous diplomatic organizations worldwide; this focus is consistent with the current Russian geopolitical strategy.
At the end of July, The U.S. Department of Justice revealed that 27 U.S. Attorneys’ offices were hacked as a result of the SolarWinds global hacking campaign. The coordination of SolarWinds’ “broad-scope cyber espionage campaign,” which resulted in the breach of numerous U.S. government entities, was officially attributed to the SVR division by the U.S. government in April 2021.

Following the SolarWinds supply-chain attack, APT29 entered the networks of other companies employing stealthy malware that went unnoticed for years, including a GoldMax Linux backdoor variant and new malware dubbed TrailBlazer. According to Microsoft, APT29 is also focusing on the IT supply chain and has compromised at least 14 businesses after hitting about 140 managed service providers (MSPs) and cloud service providers since May 2021. The Brute Ratel malicious attack simulation program was identified by Unit 42 in attacks suspected to be connected to Russian SVR cyberspies. The Brute Ratel sample “was packaged in a manner consistent with known APT29 techniques and their recent campaigns, which leveraged well-known cloud storage and online collaboration applications,” stated Unit 42’s threat researchers.

https://www.bleepingcomputer.com/news/security/russian-svr-hackers-use-google-drive-dropbox-to-evade-detection/