A hacking and cyber-espionage campaign is abusing legitimate cloud services to steal sensitive information from high-profile targets. According to cybersecurity researchers at Unit 42 at Palo Alto Networks, hackers are taking advantage of cloud services on behalf of an APT group they call Cloaked Ursa – also known as APT29, Nobelium and Cozy Bear.
Hackers are attempting to use legitimate cloud services, including Google Drive and Dropbox. Phishing emails are sent to targets at European embassies, posing as invites to meetings with ambassadors, complete with a supposed agenda attached as a PDF.
The PDF is malicious and, if it worked as intended, it would call out to a Dropbox account run by the attackers to secretly deliver Cobalt Strike – a penetration-testing tool popular with malicious attackers – to the victim's device.
The group is widely believed to be linked to the Russian Foreign Intelligence Service (SVR), responsible for several major cyberattacks, including the supply chain attack against SolarWinds, the US Democratic National Committee (DNC) hack, and espionage campaigns targeting governments and embassies around the world.
Shane Huntley, Senior Director for Google’s Threat Analysis Group, said, “Google's Threat Analysis Group tracks APT29's activity closely and regularly exchanges information with other threat intelligence teams, such as Palo Alto Networks, for the good of the ecosystem. In this case, we were aware of the activity identified in this report, and had already proactively taken steps to protect any potential targets.”
Unit 42 has alerted both Dropbox and Google to their services being abused and action has been taken against accounts being used as part of attacks.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
