The Russian-linked hacking group behind the infamous SolarWinds spying campaign is now using Google Drive to stealthily deliver malware to its latest victims.
That’s according to researchers from Palo Alto Networks’ Unit 42 threat intelligence team, which said on Tuesday that the Russian Foreign Intelligence Service (SVR) hacking unit – tracked as “Masked Ursa” by Unit 42 but more commonly known as APT29 or Cozy Bear — integrated Google’s cloud storage service into their hacking campaigns to hide their malware and activities.
APT29 used this new tactic in recent campaigns targeting diplomatic missions and foreign embassies in Portugal and Brazil between early May and June 2022, according to Unit 42.
Advertising
“This is a new tactic for this actor and one that is proving difficult to detect due to the ubiquitous nature of these services and the fact that they are trusted by millions of customers worldwide,” the researchers said. . “When the use of trust services is combined with encryption, as we see here, it becomes extremely difficult for organizations to detect malicious campaign-related activity. »
While this is APT29’s first time using Google Drive, it’s not the first time the group has abused legitimate web services. As documented by security giant Mandiant in May, the group has incorporated itself as Dropbox as part of its command and control infrastructure in a campaign targeting diplomats and various government agencies. .
Unit 42 disclosed the activity to Dropbox and Google, which took action. Google did not immediately respond to a request for comment.
Google’s Threat Analysis Group (TAG) also uncovered Russian-backed Turla hackers targeted Ukrainians via an app allegedly designed to carry out distributed denial-of-service (DDoS) attacks against Russia on Tuesday. The app, known as CyberAzov, promised to allow users “to help stop Russian aggression against Ukraine”. In fact, the app is the first known instance of Turla distributing Android-related malware, according to TAG researchers.
The EU’s foreign service warned this week that Russian hacker groups had become increasingly disruptive in Europe since the outbreak of war in Ukraine. “This increase in malicious cyber activity, in the context of the war against Ukraine, creates unacceptable risks of spillover effects, misinterpretation and possible escalation,” he said.