Black Hat Symantec’s threat hunters have identified an alarming trend where state-sponsored cyber spies and criminals are increasingly utilizing legitimate cloud services to launch attacks on their targets. This includes new data theft and malware tools being developed by these malicious actors.
During a talk at the Black Hat infosec conference, Symantec’s Marc Elias discussed how these groups are leveraging their favorite cloud platforms to carry out their nefarious activities. Criminals are using cloud services for many of the same reasons as legitimate organizations, but also because it makes it easier for them to avoid detection while infiltrating victims’ networks.
“Nation-state groups benefit from zero infrastructure costs by creating free accounts on platforms like Google Drive and Microsoft. The encrypted traffic to legitimate domains makes it difficult to detect these attacks,” explained Elias, a threat hunter at Symantec.
Recent campaigns include a backdoor named “Grager” used against organizations in Taiwan, Hong Kong, and Vietnam. This malware leveraged Microsoft’s Graph API to communicate with the attacker’s server hosted on Microsoft OneDrive.
Symantec’s research on Grager and other nation-state campaigns abusing cloud tools revealed ties to a group known as UNC5330, suspected of having links to the Chinese government.
Another backdoor named “Moon_Tag” under development by a Chinese-speaking group, and a backdoor called Onedrivetools deployed against IT services firms in the US and Europe, highlight the increasing sophistication of these attacks.
Symantec’s findings underline the escalating use of cloud services by nation-state APT groups for their stealthy campaigns. Elias warned that this trend is likely to continue due to the advantages it offers attackers.
To assist network defenders, Symantec has shared indicators of compromise and MITRE tactics used by these attackers. Stay vigilant and keep hunting for threats. ®