The SolarWinds hackers are back - and smuggling malware in Google Drive

News
By Sead Fadilpašić
published

APT29 is exploiting legitimate services to disguise attacks

Google Drive logo on phone
(Image credit: Shutterstock.com / rafapress)

APT29, also known as Cozy Bear and Cloaked Ursa, is abusing cloud storage service Google Drive to distribute malware, researchers have warned.

Earlier this week, Unit 42 (the cybersecurity arm of Palo Alto Networks) discovered that the group, allegedly backed by the Russian state, was using Google Drive to facilitate two campaigns targeting diplomats and embassies in Portugal and Brazil.

“This is a new tactic for this actor and one that proves challenging to detect due to the ubiquitous nature of these services and the fact that they are trusted by millions of customers worldwide,” Unit 42 claims.

“When the use of trusted services is combined with encryption, as we see here, it becomes extremely difficult for organizations to detect malicious activity in connection with the campaign.”

Abusing legitimate tools

As reported by TechCrunch, while this may be the first time APT29 has used Google Drive specifically, the group is no stranger to abusing legitimate web services for its nefarious deeds.

In May this year, for example, the group used Dropbox as part of its command and control infrastructure, forcing the file-sharing company to shut down their accounts.

Unit 42 has notified Google and Dropbox, both of which have reportedly taken action. So far, Google has not commented publicly on the findings. 

APT29 is an infamous threat actor in the cybersecurity world, perhaps best known for the SolarWinds attack. It was APT29 that used stolen Microsoft 365 credentials to compromise SolarWinds’ infrastructure, and later used the access to the network to poison a service update with malware. 

Read more

> Dangerous new malware dances past more than 50 antivirus services

> New analysis uncovers extensive SolarWinds attack infrastructure

These are the best patch management services around

That update ended up being installed on endpoints belonging to tens of thousands of companies, as well as American government institutions. It is generally considered one of the most devastating supply chain attacks of all time.

According to TechCrunch, the EU foreign service also recently warned everyone of increasing activity by Russian hackers, especially since the invasion of Ukraine. 

“This increase in malicious cyber activities, in the context of the war against Ukraine, creates unacceptable risks of spillover effects, misinterpretation and possible escalation,” it said.

Via TechCrunch

Sead Fadilpašić
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.