Russian APT29 Hackers Use DropBox and Google Drive

There is no doubt that online storage services are becoming increasingly essential to the management of day-to-day operations for organizations around the world. Among these services, the most used and popular ones are:-

  • DropBox
  • Google Drive

Although some services are trusted by the general public more and more, there are threats that are exploiting the trust in them. The goal of these threat actors is to make it extremely difficult to detect and prevent their attacks in the future owing to this technology and trust.

It has been reported that the latest attacks have been carried out by an APT group, which has been identified as APT29 (also known as Cozy Bear, Cloaked Ursa, Nobelium) by the Palo Alto Networks security experts.

The APT29 group was a Russian hacking group that was supported by the SVR (The Russian Foreign Intelligence Service) and was operated by several secret government services.

Abusing Legit Cloud Services

Cloud services are not a new thing to this group, but they do use trusted, legitimate ones a lot to make things more complicated. For the first time, they were able to utilize the cloud storage services of Google Drive and DropBox for both of their most recent campaigns.

There is a great deal of concern regarding the inclusion of Google Drive cloud storage services in the malware delivery process used by this APT given their omnipresent nature.

There is a new campaign being conducted against a NATO member country in Europe that Unit 42 identified on May 24, 2022. In this campaign, two emails were sent to the same target country at roughly the same time several hours apart, which was odd.

The lure document in both emails was named Agenda.pdf, which is the same file in both emails. An agenda for a meeting with an ambassador to Portugal was provided as a link in the email.

Attacks high-profile Targets

During the year 2020, a large number of U.S. federal agencies were compromised as a result of the SolarWinds supply-chain attack, carried out by APT29.

A number of US Attorney’s offices were breached during the global hacking lark perpetrated by SolarWinds at the end of July, according to the US Department of Justice, the last US government to divulge the breach.

Since the SolarWinds supply chain attack, APT29 has managed to breach the networks of other companies as well. Stealthy malware is used in their campaigns, which have remained undetected for a substantial period of time. They make use of malware such as:- 

  • GoldMax (A Linux backdoor) 
  • TrailBlazer

In addition to targeted attacks on managed service providers (MSPs) and cloud service providers, the group has also targeted the IT supply chain. 

Microsoft revealed its involvement in the case in October, after revealing that the group has compromised at least 14 companies since May 2021.

To mitigate this threat cybersecurity analysts have strongly recommended all organizations to obey the following mitigations:-

  • Closely review email policies
  • Review all the IoCs provided
  • Make sure to enable 2FA
  • Implement strong security policies
  • Proper security training
  • Always use robust security tools.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.