The Russian state-sponsored hackers known as APT29 has been attributed to a new phishing campaign which makes use of legitimate cloud services like Google Drive and Dropbox to deliver malicious payloads on compromised systems and evade detection.
The APT29 threat group (aka Cozy Bear or Nobelium) is the Russian Foreign Intelligence Service (SVR) hacking division. It has been characterized as an organized cyberespionage group working to collect intelligence that aligns with Russia’s strategic objectives.
The group has adopted this new technique in recent campaigns targeting Western diplomatic missions and foreign embassies worldwide between early May and June 2022. The lures included in these campaigns suggest targeting of a foreign embassy in Portugal as well as a foreign embassy in Brazil.
According to analysts at Palo Alto Networks Unit 42 analysts who spotted the new trend, the ubiquitous nature of Google Drive cloud storage services and the fact that they are trusted by millions of customers worldwide makes it challenging to detect.
Mandiant revealed in an April report tracking one of the group’s phishing campaigns, that this is not the first time APT29 hackers have abused legitimate web services for command-and-control and storage purposes.