



According to a new study, Russian adversaries use trusted cloud services such as Google Drive and DropBox to deliver malware to businesses and governments.

Researchers at Palo Alto Networks Unit 42 found that threat attackers Cloaked Ursula (also known as APT29 or Cozy Bear linked to the Russian government) provide online storage services to make it difficult to detect and prevent attacks. I write that I am using it more and more.

They are believed to have targeted several Western diplomatic missions and foreign embassies between May and June 2022. In recent campaigns, malware was hidden on the agenda for upcoming meetings with the ambassador. These documents contained links to malicious HTML files that acted as droppers for additional malicious files in the target network, such as the Cobalt Strike payload.

Palo Alto Networks has disclosed its activity to DropBox and Google, which are trying to thwart it. They also warn organizations and governments to stay vigilant.

The researchers said: The ubiquitous nature of the Google Drive cloud storage service, combined with the trust of millions of customers around the world, makes us very concerned about this APT malware delivery process. Cozy Bear used to use legitimate cloud services to deliver malware, but the latest two campaigns used the Google Drive cloud storage service for the first time.

When combining the use of trusted cloud services with encryption, it is “extremely difficult” for organizations to detect malicious activity, according to researchers.

