Main Highlights:
- The Russia-linked hacking organization responsible for the infamous SolarWinds espionage campaign.
- Russian Foreign Intelligence Service (SVR) hacking unit tracked as “Cloaked Ursa” by Unit 42 but more commonly known as APT29 or Cozy Bear has incorporated Google’s cloud storage service into its hacking initiatives to hide their malware and activities.
- When trusted services are paired with encryption, as seen here, it becomes incredibly difficult for enterprises to discover malicious behavior associated with the campaign.
- The CyberAzov software promised to allow users to “assist halt Russian aggression against Ukraine.”
The Russia-linked hacking organization responsible for the infamous SolarWinds espionage campaign is now leveraging Google Drive to deliver malware to its latest victims invisibly. According to Palo Alto Networks’ Unit 42 threat intelligence team, the Russian Foreign Intelligence Service (SVR) hacking unit tracked as “Cloaked Ursa” by Unit 42 but more commonly known as APT29 or Cozy Bear has incorporated Google’s cloud storage service into its hacking initiatives to hide their malware and activities.
According to Unit 42, APT29 employed this new strategy in recent attacks targeting diplomatic posts and foreign embassies in Portugal and Brazil between early May and June 2022. According to the experts, this is a new approach for this actor, and it is difficult to identify owing to the omnipresent nature of these services and the fact that they are trusted by millions of consumers globally. They also stated that when trusted services are paired with encryption, as seen here, it becomes incredibly difficult for enterprises to discover malicious behavior associated with the campaign.
Cozy Bear is a Russian hacker organisation suspected of being affiliated with one or more Russian intelligence services, according to the US federal government. The Dutch General Intelligence and Security Service inferred from security camera video that it is directed by the Russian Foreign Intelligence Service (SVR); the US concurs. CrowdStrike, a cybersecurity firm, previously speculated that it might be linked to the Russian Federal Security Service (FSB) or SVR. Other cybersecurity organisations have dubbed the group CozyCar, CozyDuke (by F-Secure), Dark Halo, The Dukes (by Volexity), NOBELIUM, Office Monkeys, StellarParticle, UNC2452, and YTTRIUM.
While this is the first time APT29 has exploited Google Drive, it is not the group’s first time abusing legal web services. In May, security firm Mandiant said that the organisation used Dropbox as part of its command and control infrastructure in a campaign targeting diplomats and different government entities. According to a Dropbox spokeswoman, the accounts were promptly deactivated.
Unit 42 reported the conduct to Dropbox and Google, both of which took action. Google did not immediately react to a comment request. On Tuesday, Google’s Threat Analysis Group (TAG) discovered that Russian-backed Turla hackers were targeting Ukrainians with an app ostensibly meant to carry out distributed denial of service (DDoS) assaults against Russia. The CyberAzov software promised to allow users to “assist halt Russian aggression against Ukraine.” According to TAG researchers, the app is the first documented instance of Turla propagating Android-related malware.
Both Google Drive and Dropbox provide two-factor authentication and encrypt data in transit – from the cloud storage service to your device and back. Dropbox, on the other hand, employs Advanced Encryption Standard (AES) 256-bit encryption to keep your data safe while they’re being kept. The National Security Agency of the United States has certified this encryption standard to secure top-secret information. For data at rest, Google Drive only employs 128-bit encryption (in storage).
This week, the EU diplomatic service also warned that Russian cyber groups have grown increasingly disruptive in Europe since the commencement of the Ukrainian conflict. “In the context of the war on Ukraine, this surge in harmful cyber activity presents intolerable risks of spillover effects, misunderstanding, and possible escalation,” it stated.
