In the report, they highlight instances where the threat actor targeted embassies in spear phishing attacks. The hackers, identified as Cloaked Ursa (also known as APT29, Nobelium, or Cozy Bear), were behind the infamous SolarWinds hack. Both Google and Dropbox have taken steps to block the phishing attacks.
Hackers Host Malware on Google Drive, Dropbox
Unit 42’s report shed light on their observations from two campaigns, the first in May, and the second in June this year. The researchers found that Google Drive and Dropbox played a key role in the phishing attacks—they were used to host and deliver malware. Using these cloud services allowed the hackers to keep the malware hidden, and also let them steal information such as “running processes, machine name and network IP information.” This is not the first time APT29 has been found targeting diplomatic missions. In April this year, Mandiant observed the threat actor sending phishing emails to several embassies from legitimate, but compromised, email accounts.
Details of APT29’s Latest Campaigns
According to Unit 42, APT29’s attack begins with a phishing email sent to an embassy. The email appears to contain links to an upcoming meeting with an ambassador. These links were hosted on cloud storage platforms, and when they’re clicked, an elaborate malware deployment process begins. Both campaigns use a malware dropper called “EnvyScout,” which is hosted on a legitimate domain. “EnvyScout can be described as an auxiliary tool that is used to further infect the target with the actor’s implant,” Unit 42 explained. “It is used to deobfuscate the contents of the secondary malware, which is a malicious ISO file.” The main differences between the two campaigns detailed in the report are their targets, and the cloud storage platform used to spread the malware. The first campaign was addressed to a Portuguese Embassy, while a Brazilian Embassy was the target of the second. In the first campaign, the hackers used Dropbox as their cloud storage tool, and in the second campaign, they used Google Drive.
Phishing Attack is “Challenging to Detect”
The Unit 42 team noted that APT29’s use of popular cloud storage services makes the attack more difficult to detect. “Since early May, Cloaked Ursa has continued to evolve their abilities to deliver malware using popular online storage services,” Unit 42 stated. “Their two most recent campaigns demonstrate their sophistication and their ability to obfuscate the deployment of their malware through the use of DropBox and Google Drive services. This is a new tactic for this actor and one that proves challenging to detect due to the ubiquitous nature of these services and the fact that they are trusted by millions of customers worldwide.” If you found this story interesting and want to learn how to improve the security of your network, check out our article on the best cybersecurity tools.