Russian SVR hackers use Google Drive, Dropbox to evade detection

State-backed hackers part of Russia's Federation Foreign Intelligence Service (SVR) have started using Google Drive legitimate cloud storage service to evade detection.

By using online storage services trusted by millions worldwide to exfiltrate data and deploy their malware and malicious tools, the Russian threat actors are abusing that trust to render their attacks exceedingly tricky or even impossible to detect and block.

The threat group tracked as APT29 (aka Cozy Bear or Nobelium) has adopted this new tactic in recent campaigns targeting Western diplomatic missions and foreign embassies worldwide between early May and June 2022.

"We have discovered that their two most recent campaigns leveraged Google Drive cloud storage services for the first time," Unit 42 analysts who spotted the new trend said.

"The ubiquitous nature of Google Drive cloud storage services – combined with the trust that millions of customers worldwide have in them – make their inclusion in this APT's malware delivery process exceptionally concerning."

However, as Mandiant revealed in an April report tracking one of the group's phishing campaigns, this is not the first time APT29 hackers have abused legitimate web services for command-and-control and storage purposes.

Just as in the campaigns observed by Unit 42, Mandiant also saw the cyberespionage group's phishing attacks against employees of various diplomatic organizations across the world, a focus consistent with current Russian geopolitical strategic interests and previous APT29 targeting.

APT29's high-profile targets

APT29 (also tracked Cozy Bear, The Dukes, and Cloaked Ursa) is the Russian Foreign Intelligence Service (SVR) hacking division that carried out the SolarWinds supply-chain attack, which led to the compromise of multiple U.S. federal agencies in 2020.

At the end of July, the U.S. Department of Justice was the last U.S. government to disclose that 27 U.S. Attorneys' offices were breached during the SolarWinds global hacking spree.

In April 2021, the U.S. government formally blamed the SVR division for coordinating the SolarWinds "broad-scope cyber espionage campaign" that led to the compromise of multiple U.S. government agencies.

Since then, APT29 has breached other organizations' networks following the SolarWinds supply-chain attack, using stealthy malware that remained undetected for years, including a variant of the GoldMax Linux backdoor and a new malware tracked as TrailBlazer.

The group is also targeting the I.T. supply chain, as Microsoft revealed in October, compromising at least 14 companies after attacking roughly 140 managed service providers (MSPs) and cloud service providers since May 2021.

Unit 42 has also recently observed the Brute Ratel adversarial attack simulation tool deployed in attacks suspected to be linked to the Russian SVR cyberspies.

As Unit 42's threat analysts observed at the time, the Brute Ratel sample "was packaged in a manner consistent with known APT29 techniques and their recent campaigns, which leveraged well-known cloud storage and online collaboration applications."