Russian adversaries are taking advantage of trusted cloud services, like Google Drive and DropBox, to deliver malware to businesses and governments, according to new research.
Researchers at Palo Alto Networks Unit 42 wrote that the threat actor Cloaked Ursula – AKA the Russian government-linked APT29 or Cozy Bear – is increasingly using online storage services because it makes attacks difficult to detect and prevent.
They are believed to have targeted several Western diplomatic missions and foreign embassies between May and June 2022. In recent campaigns, malware was masked as an agenda for an upcoming meeting with an ambassador. These documents contained a link to a malicious HTML file that served as a dropper for additional malicious files in the target network, including a Cobalt Strike payload.
Palo Alto Networks disclosed the activity to DropBox and Google, who are working to block it. They have further warned organisations and governments to be on high alert.
Researchers have said that: “The ubiquitous nature of Google Drive cloud storage services – combined with the trust that millions of customers worldwide have in them – make their inclusion in this APT’s malware delivery process exceptionally concerning.” Cozy Bear has previously used legitimate cloud services to deliver malware, but the two latest campaigns leveraged Google Drive cloud storage services for the first time.
According to the researchers, it is “extremely difficult” for organisations to detect malicious activity when the use of trusted cloud services is combined with encryption.