Russia’s Cozy Bear abusing Dropbox, Google Drive to target victims

The Russia-based advanced persistent threat (APT) group tracked variously as Cozy Bear, Nobelium, APT29 and Cloaked Ursa is incorporating legitimate cloud storage services into its attack chain to make its attacks harder for defenders to detect and protect, according to new intelligence shared today by threat hunters at Palo Alto Networks’ Unit 42.

In a newly published notice, researchers Mike Harbison and Peter Renals described how when combined with encryption, exploiting trusted cloud services makes it “extremely difficult” for organisations to detect malicious activity.

They note that the use of trusted, legitimate cloud services is not new to Cozy Bear’s methodology, but that its recent incorporation of Dropbox and Google Drive services into its arsenal – observed in a number of recent campaigns – should be of particular concern for a number of reasons.

“Since early May [2022], Cloaked Ursa has continued to evolve their abilities to deliver malware using popular online storage services,” the researchers wrote.

“Their two most recent campaigns demonstrate their sophistication and their ability to obfuscate the deployment of their malware through the use of Dropbox and Google Drive services. This is a new tactic for this actor and one that proves challenging to detect due to the ubiquitous nature of these services and the fact that they are trusted by millions of customers worldwide.

“We encourage all organisations to review their email policies and the IoCs [indicators of compromise] provided in this report in order to address this threat.”

The precise methodology used in the two campaigns observed and analysed by Unit 42 varies slightly, but broadly speaking, they were aimed at western diplomatic missions located in Brazil and Portugal, targeting an undisclosed Nato country with a supposed agenda for an upcoming meeting with the ambassador.

The attached document, Agenda.pdf, in fact called out to the cloud storage services to retrieve EnvyScout, a tool used to deobfuscate the secondary malware, in this case a malicious ISO file, Agenda.iso, which in turn led to the download of malicious Dynamic Link Libraries (DLLs), the whole chain ultimately leading to that hardy perennial of APT tools, Cobalt Strike.

This is apparently not the first time Cozy Bear has leant on Portugal’s diplomatic service as a lure. The same country targeted in the latest campaigns was attacked in this manner in January, about the same time as the WhisperGate malware campaign against Ukraine.

According to researchers at Cluster25, who have also been tracking similar Cozy Bear campaigns, other countries targeted may have included Greece, Italy and Turkey.

Cluster25’s team added that the campaigns clearly showed a strong focus from Cozy Bear on operating under the radar and preventing its attacks from being detected for a considerable period of time.

A Dropbox spokesperson said: “We can confirm that we worked with our industry partners and the researchers on this matter, and disabled user accounts immediately. If we detect any user violating our terms of service, we take appropriate action, which may include suspending or disabling user accounts.” 

Commenting on the two observed campaigns, Garret Grajek, CEO of YouAttest, a supplier of cloud-based identity auditing solutions, said: “Unit 42 has previously reported that 92% of cloud configurations have misaligned identity permissions, so the fact Google Drive is under attack should be of no surprise to anyone.

“Most applications and data are in the cloud today, and thus the attackers know this is where  to target their exploits. Full attention must be paid to these resources to protect against these focused attacks. Identity is the most important construct to secure the cloud resources of today and must be provisioned and reviewed with care and automation.”

More technical information on the campaigns, and other details such as IoCs, are available from Unit 42.