A hacking and cyber-espionage campaign is abusing legitimate cloud services as part of a covert operation to steal sensitive information from high-profile targets.
Organisations around the world use cloud services to conduct day-to-day operations, particularly after the shift towards hybrid working. Cloud applications provide a simple means of working, no matter where the user is, something that has become vital for remote workers.
Now they're attempting to use legitimate cloud services, including Google Drive and Dropbox – and have already used this tactic as part of attacks that took place between May and June this year.
The attacks begin with phishing emails sent out to targets at European embassies, posing as invites to meetings with ambassadors, complete with a supposed agenda attached as a PDF.
The PDF is malicious and, if it worked as intended, it would call out to a Dropbox account run by the attackers to secretly deliver Cobalt Strike – a penetration-testing tool popular with malicious attackers – to the victim's device. However, this initial call out was unsuccessful earlier this year, something researchers suggest is down to restrictive policies on corporate networks about using third-party services.
But the attackers adapted, sending similar phishing emails as a second lure, but instead using communication with Google Drive accounts to hide their actions and deploy Cobalt Strike and malware payloads into target environments. It appears that this strike wasn't blocked, likely because many workplaces use Google applications as part of day-to-day operations, so blocking Drive would be seen as inefficient to productivity.
"Attackers will continue to innovate and find ways to evade detection to meet their objectives. Using Google Drive and DropBox is a low-cost way to leverage trusted applications," a Unit 42 researcher told ZDNet.
"Put it in simple terms, it means you can easily get X number of Google accounts for free, and use that to collect information and host malware. You no longer need to purchase your typical C2 infrastructure, which can easily be blocked."
Like many campaigns of this nature, it's likely the intention was to use malware to create a backdoor onto an infected network and steal sensitive information, either for use in further attacks or to be exploited in other ways. Unit 42 hasn't detailed whether the campaigns successfully infiltrated networks or not.
Unit 42 has alerted both Dropbox and Google to their services being abused and action has been taken against accounts being used as part of attacks.
"Google's Threat Analysis Group tracks APT29's activity closely and regularly exchanges information with other threat intelligence teams, such as Palo Alto Networks, for the good of the ecosystem. In this case, we were aware of the activity identified in this report, and had already proactively taken steps to protect any potential targets," Shane Huntley, senior director for Google's Threat Analysis Group, told ZDNet.
"We can confirm that we worked with our industry partners and the researchers on this matter, and disabled user accounts immediately. If we detect any user violating our terms of service, we take appropriate action, which may include suspending or disabling user accounts," a Dropbox spokesperson told ZDNet.