State-sponsored threat actors use Google Drive and Dropbox to launch attacks


Dive Summary:

  • The Russia-linked threat actor responsible for the SolarWinds attack is behind a series of attacks, leveraging Google Drive and other cloud-based storage systems to attack several diplomatic missions Western. search for Unit 42 of the Palo Alto Network released on Tuesday shows.
  • The May and June 2022 campaigns targeted foreign embassies in Brazil and Portugal using phishing documents with a link to a malicious HTML file, called EnvyScout, which served as a dropper for other malicious payloads, include Cobalt Strike.
  • Researchers at Cluster25 has linked the threat actor, known as APT29, Nobelium, or Cozy Bear, to campaigns using Dropbox as a communication vehicle for command and control. Previously Mandiant Scholars spread information about similar campaigns using Atlassian’s Trello app.

Overview of the dive:

What stands out from this particular campaign is how the threat actor, whom the Unit 42 researchers intimating Cloaked Ursa, continues to innovate and find new ways to evade detection.

“Using Google Drive and Dropbox is an undesigned way to take advantage of trusted apps,” the Unit 42 researchers said through a spokesperson. “This means you can easily get Google accounts for free and use them to collect information and host malware. »

The researchers said the data provided during these campaigns included machine names, user names, and a list of running processes.


Google TAG tracks APT 29 activity and regularly exchanges information with other threat intelligence researchers, including Palo Alto Networks, according to Google TAG senior manager Shane Huntley.

“In this case, we were aware of the activity identified in the report and had already taken proactive steps to protect any potential targets,” Huntley said in a statement.

Dropbox said it worked with researchers and industry partners on the situation and immediately disabled user accounts.

“If we detect a user violating our terms of service, we take appropriate action, which may include suspending or disabling user accounts,” a spokesperson said via email.

Leave a Comment