Google Drive & Dropbox: Target of APT29, Russian Hackers collective

The Russian state-sponsored hacker collective known as APT29 has been attributed to a new phishing campaign that leverages cloud services like Google Drive and Dropbox to deliver payloads to compromised systems.

The APT29 group also known as Cozy Bear or Nobelium has embraced this new strategy of attacking Google Drive and DropBox content. The phishing documents included a link to a malicious HTML file, which was used as a tool to introduce other malicious files, including a Cobalt Strike payload, to enter the target network.

Google and DropBox have been notified of the transaction by Palo Alto Networks and have taken steps to limit it. Organizations and governments have been warned, by researchers from Unit 42, to maintain a high state of alert.

All owners of a Drive account or a DropBox account should pay more attention to how they identify, inspect and block unwanted traffic to cloud storage providers, to avoid malicious access.

APT29, also known as Cozy Bear, Cloaked Ursa or The Dukes, is a cyber espionage organization that seeks to gather information and support Russia's geopolitical goals. APT29 also hacked into SolarWinds supply chains, causing problems for several US federal agencies in 2020.

Using cloud services like Dropbox and Google Drive to obtain additional cyber espionage material has become the new target. According to reports, in the second phase of the attack, which occurred in late May 2022, the hacking technique to access cloud services was further improved.

The European Union "condemns this appalling behavior in cyberspace" and highlights the increase in hostile cyber actions perpetrated by the Russians. In a press release, the Council of the EU stated that "this increase in malicious cyber actions, in the context of the war against Ukraine, presents intolerable risks of spillover effects, misinterpretations and possible escalation".

Ercole Palmeri: Innovation addicted