Russia sophisticated its cyberattacks: now Google Drive

Russia continues to increase the number and sophistication of its cyber attacks. Sponsored and financed by the Putin government, cybercriminal groups have intensified their campaigns in recent months where cloud storage services such as DropBox or Google Drive have become daily targets.

Russia and its large cybercrime organization have seen that the weakness lies not in the insecurity of these platforms, but in the extreme trust that users have in them. And trust, it means that the alert is reduced. A report conducted by Palo Alto Networks (PAWN) it shows that the Russians are finding ways to harness that trust to make their attacks extremely difficult to detect and prevent. The latest campaigns by an Advanced Persistent Threat (APT) tracked by the world’s leading cybersecurity company such as Cloaked Ursa (also known as APT29, Nobelium, or Cozy Bear) demonstrate sophistication and its ability to quickly integrate popular cloud storage services to avoid detection.

Cloaked Ursa is specializing in these types of services. Several cyberattacks have already surfaced on popular platforms like Trello, and more recently, its last two campaigns have taken advantage of Google Drive vulnerabilities for the first time. The cybersecurity firm says the ubiquitous nature of the Google Drive platform’s cloud storage services, combined with the trust millions of customers around the world have in it, makes its inclusion in the drive delivery process malware from this APT is of exceptional concern.

Russia and its army of cybercriminals have seen that extreme trust in platforms like Trello or Google Drive can lead to a successful cyberattack.

The key to the success of Putin’s attackers is that when the use of trusted services is combined with encryption it becomes extremely difficult for organizations to detect malicious activity in connection with the campaign. And it is that,he cybersecurity industry is certain that the Russian government is behind Cloaked Ursa. This is a long-standing group of cybercriminals whose origin dates back to malware campaigns against Chechnya and other countries of the former Soviet bloc in 2008, including Ukraine. In recent years, the hacking of the United States Democratic National Committee (DNC) in 2016 has been attributed to this group, as well as the SolarWinds supply chain compromises in 2020. Increasing the specificity of the attribution, both the United States States like the UK have publicly attributed this group to Russia’s Foreign Intelligence Service (SVR).

The latest cyberattacks were directed at Western diplomatic missions and took place in May and June. The data indicates that it affected some legation in Portugal and Brazil and to carry out the cyberattack they placed a meeting in the agendas of diplomats with a link that contained a malicious HTML file (EnvyScout) and that served to spread the malware through the mission network.

According to PANW, the latest campaigns of Cloaked Ursa (also known as APT 29 / Nobelium / Cozy Bear) demonstrate its sophistication and ability to quickly integrate cloud services to avoid detection. The use of legitimate and trusted cloud services is not entirely new to this group.

Palo Alto Networks customers are protected against the indicators of compromise (IoCs) outlined in the Unit 42 publication through WildFire’s advanced URL filtering, DNS security, and malware analysis.

The full display of observed techniques, relevant courses of action, and IoCs related to this report can be found in Unit 42’s ATOM viewer. Palo Alto Networks also worked to disclose this activity to both Google and DropBox, and have taken steps to block the activity.