The SolarWinds hackers are back - and smuggling malware in Google Drive

APT29 is exploiting legitimate services to disguise attacks

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

APT29, also known as Cozy Bear and Cloaked Ursa, is abusingcloud storageserviceGoogleDrive to distributemalware, researchers have warned.

Earlier this week, Unit 42 (the cybersecurityarmof Palo Alto Networks) discovered that the group, allegedly backed by the Russian state, was using Google Drive to facilitate two campaigns targeting diplomats and embassies in Portugal and Brazil.

“This is a new tactic for this actor and one that proves challenging to detect due to the ubiquitous nature of these services and the fact that they are trusted by millions of customers worldwide,” Unit 42 claims.

“When the use of trusted services is combined with encryption, as we see here, it becomes extremely difficult for organizations to detect malicious activity in connection with the campaign.”

Abusing legitimate tools

As reported byTechCrunch, while this may be the first time APT29 has used Google Drive specifically, the group is no stranger to abusing legitimate web services for its nefarious deeds.

In May this year, for example, the group used Dropbox as part of its command and control infrastructure, forcing the file-sharing company to shut down their accounts.

Unit 42 has notified Google and Dropbox, both of which have reportedly taken action. So far, Google has not commented publicly on the findings.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

APT29 is an infamous threat actor in the cybersecurity world, perhaps best known for theSolarWinds attack. It was APT29 that used stolenMicrosoft365 credentials to compromise SolarWinds’ infrastructure, and later used the access to the network to poison a service update with malware.

Dangerous new malware dances past more than 50 antivirus services>New analysis uncovers extensive SolarWinds attack infrastructure>These are the best patch management services around

That update ended up being installed on endpoints belonging to tens of thousands of companies, as well as American government institutions. It is generally considered one of the most devastating supply chain attacks of all time.

According toTechCrunch, the EU foreign service also recently warned everyone of increasing activity by Russian hackers, especially since the invasion of Ukraine.

“This increase in malicious cyber activities, in the context of the war against Ukraine, creates unacceptable risks of spillover effects, misinterpretation and possible escalation,” it said.

ViaTechCrunch

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics