Hackers turn to cloud storage services in attempt to hide their attacks

Cybersecurity researchers detail attacks that exploit legitimate cloud services in attempts to access sensitive data.
Written by Danny Palmer, Senior Writer
close up programmer man hand typing on keyboard laptop for register data system or access password at dark operation room , cyber security concept
Image: Getty Images/iStockphoto

A hacking and cyber-espionage campaign is abusing legitimate cloud services as part of a covert operation to steal sensitive information from high-profile targets. 

Organisations around the world use cloud services to conduct day-to-day operations, particularly after the shift towards hybrid working. Cloud applications provide a simple means of working, no matter where the user is, something that has become vital for remote workers. 

However, it's not only businesses and employees that can take advantage of cloud services.

And according to cybersecurity researchers at Unit 42 at Palo Alto Networks, that's exactly what hackers working on behalf of an advanced persistent threat (APT) group they call Cloaked Ursa – also known as APT29, Nobelium and Cozy Bear – are doing. 

SEE: A winning strategy for cybersecurity (ZDNet special report)

The group is widely believed to be linked to the Russian Foreign Intelligence Service (SVR), responsible for several major cyberattacks, including the supply chain attack against SolarWinds, the US Democratic National Committee (DNC) hack, and espionage campaigns targeting governments and embassies around the world.  

Now they're attempting to use legitimate cloud services, including Google Drive and Dropbox – and have already used this tactic as part of attacks that took place between May and June this year. 

The attacks begin with phishing emails sent out to targets at European embassies, posing as invites to meetings with ambassadors, complete with a supposed agenda attached as a PDF.  

The PDF is malicious and, if it worked as intended, it would call out to a Dropbox account run by the attackers to secretly deliver Cobalt Strike – a penetration-testing tool popular with malicious attackers – to the victim's device. However, this initial call out was unsuccessful earlier this year, something researchers suggest is down to restrictive policies on corporate networks about using third-party services. 

But the attackers adapted, sending similar phishing emails as a second lure, but instead using communication with Google Drive accounts to hide their actions and deploy Cobalt Strike and malware payloads into target environments. It appears that this strike wasn't blocked, likely because many workplaces use Google applications as part of day-to-day operations, so blocking Drive would be seen as inefficient to productivity. 

"Attackers will continue to innovate and find ways to evade detection to meet their objectives. Using Google Drive and DropBox is a low-cost way to leverage trusted applications," a Unit 42 researcher told ZDNet.  

"Put it in simple terms, it means you can easily get X number of Google accounts for free, and use that to collect information and host malware. You no longer need to purchase your typical C2 infrastructure, which can easily be blocked." 

Like many campaigns of this nature, it's likely the intention was to use malware to create a backdoor onto an infected network and steal sensitive information, either for use in further attacks or to be exploited in other ways. Unit 42 hasn't detailed whether the campaigns successfully infiltrated networks or not. 

SEE: These are the cybersecurity threats of tomorrow that you should be thinking about today

Unit 42 has alerted both Dropbox and Google to their services being abused and action has been taken against accounts being used as part of attacks. 

"Google's Threat Analysis Group tracks APT29's activity closely and regularly exchanges information with other threat intelligence teams, such as Palo Alto Networks, for the good of the ecosystem. In this case, we were aware of the activity identified in this report, and had already proactively taken steps to protect any potential targets," Shane Huntley, senior director for Google's Threat Analysis Group, told ZDNet. 

"We can confirm that we worked with our industry partners and the researchers on this matter, and disabled user accounts immediately. If we detect any user violating our terms of service, we take appropriate action, which may include suspending or disabling user accounts," a Dropbox spokesperson told ZDNet.

Using cloud services provides many benefits to both businesses and staff – but it's important to ensure that the security of cloud applications and services is managed properly to prevent these tools being exploited by cyber criminals.  


Editorial standards