Russian Hackers Behind SolarWinds Are Now Hiding Malware In Google Drive

An anonymous reader quotes a report from TechCrunch: The Russia-linked hacking group behind the infamous SolarWinds espionage campaign is now using Google Drive to stealthily deliver malware to its latest victims. That's according to researchers at Palo Alto Networks' Unit 42 threat intelligence team, who said on Tuesday that the Russian Foreign Intelligence Service (SVR) hacking unit -- tracked as "Cloaked Ursa" by Unit 42 but more commonly known as APT29 or Cozy Bear -- has incorporated Google's cloud storage service into its hacking campaigns to hide their malware and their activities.

APT29 has used this new tactic in recent campaigns targeting diplomatic missions and foreign embassies in Portugal and Brazil between early May and June 2022, according to Unit 42. "This is a new tactic for this actor and one that proves challenging to detect due to the ubiquitous nature of these services and the fact that they are trusted by millions of customers worldwide," the researchers said. "When the use of trusted services is combined with encryption, as we see here, it becomes extremely difficult for organizations to detect malicious activity in connection with the campaign." Unit 42 disclosed the activity to both Dropbox and Google, which took action. In May, the group was found to be using Dropbox in a campaign targeting diplomats and various government agencies. A Dropbox spokesperson told TechCrunch it disabled the accounts immediately.

I've seen this with a number of services

[fuzzyfuzzyfungus]

I don't know if I was dealing with APT29(and, honestly, I hope not); but this class of techniques seems to be a (fairly effective, at least against the more naïve ones) countermeasure against email security systems that inspect links for domain reputation and potentially inspect the page or file they link to, especially if it's one of the high risk ones(executables, macro-laden office documents, etc); but, presumably for resource reasons, do not traverse more than a layer or two deep.

Some time back we had a whole bunch that used links to evernote notebooks; the system let them pass as public evernote notebook sharing a more or less legitimate and fairly common activity; but the notebooks contained links to some really nasty bugged PDFs. Another batch used shared Onenote notebooks(mostly consumer o365 accounts, I assume just random compromised users; plus some business/sharepoint online ones from relatively small and hapless-looking outfits that presumably had weak control of employee credentials); also a more or less legitimate link to a MIcrosoft property in the URL; but some nasty treats inside the notebook.

I don't think I've seen box, dropbox, or google drive variants in person; but I assume that the concept is the same.

What is thankfully much rarer, whether because it's more of a hassle to set up in bulk or because it adds friction to the user being attacked and so lowers the success rate, I'm not sure which, is using malicious shared documents on legitimate platforms that are shared specifically with the email address of the recipient, rather than just set to public, which would make the job a lot harder for the inspection engine even if it were to start spidering a little deeper to inspect the URLs buried one level in.

You can still do time-of-click analysis of the URL (via SmartScreen or the client AV or an analogous feature); but you really don't want to have to depend on that vs. snagging it and killing it at the server.

Re:

[drinkypoo]

I get a lot of spam encouraging me to download PDFs and office documents from poorly-masked google drive URLs, much of it delivered via gmail. It's always pretty obvious on a mouseover.

the article

[zlives]

the article doesn't mention onedrive, so i am going to assume it is super safe and MS is making sure it is kept that way.

Re:

[rickb928]

Google Drive is reasonably safe, secure, and managed, with the rare exception that gets under their skin.

I'm confident Google engineers are working to eradicate this infestation. It may not be as easy as we wish.

Re:

[photonrider]

It's MS safe, so the risk of ransomeware getting onto and retrieved from onedrive is real. It has happened.

Could this be an opportunity?

[mnemotronic]

Could this be an opportunity for Google to modify the malware on their servers so that it behaves differently? Perhaps unveiling the IP addresses of the responsible parties or infecting them?

The solarwinds hack was almost certainly an inside

[Rujiel]

That (american) company has our security state as a client, so the idea that pesky russia would beat its american clients to the punch on finding zero days is laughable. The company's name is actually really similar to one of the programs Ed Snowden revealed, "Stellarwind"