Dive Brief:
- The Russia-linked threat actor responsible for the SolarWinds attack is behind a series of attacks, leveraging Google Drive and other cloud-based storage systems to attack several Western diplomatic missions, research from Palo Alto Network’s Unit 42 released Tuesday shows.
- Campaigns in May and June 2022 targeted foreign embassies in Brazil and Portugal using phishing documents with a link to a malicious HTML file, called EnvyScout, which served as a dropper for additional malicious payloads, including Cobalt Strike.
- Researchers at Cluster25 linked the threat actor, known as APT29, Nobelium or Cozy Bear, to campaigns using Dropbox as a communication vector for command and control. Previously Mandiant researchers disclosed information on similar campaigns using Atlassian’s Trello application.
Dive Insight:
What stands out under this particular campaign is how the threat actor, which Unit 42 researchers call Cloaked Ursa, continues to innovate and find new ways to evade detection.
“Using Google Drive and Dropbox is a low-cost way to leverage trusted applications,” Unit 42 researchers said through a spokesperson. “That means you can easily get Google accounts for free and use that to collect information and host malware.”
Researchers said the data being collected during these campaigns include machine names, usernames and a list of running processes.
Google TAG closely tracks the activity of APT 29 and regularly exchanges information with other threat intelligence researchers, including Palo Alto Networks, according to Shane Huntley, senior director at Google TAG.
“In this case, we were aware of the activity identified in the report, and had already taken proactive steps to protect any potential targets,” Huntley said in a statement.
Dropbox said it worked with the researchers and with industry partners on the situation and immediately disabled user accounts.
“If we detect any user violating our terms of service, we take appropriate action, which may include suspending or disabling user accounts,” a spokesperson said via email.