State-sponsored cyber spies and criminals are increasingly leveraging legitimate cloud services to carry out their attacks, as revealed by Symantec’s threat hunters. Over the past few months, Symantec identified three such operations, uncovering new data theft and malware tools in development.
During a talk at the Black Hat infosec conference, Symantec’s Marc Elias highlighted how nation-state groups utilize cloud platforms for the same reasons legitimate organizations do: cost-efficiency and ease of avoiding detection. “Infrastructure costs are zero for these groups,” Elias explained, noting they can create free accounts on Google Drive or Microsoft without any maintenance costs. Additionally, encrypted traffic to legitimate domains makes detection challenging.
One notable campaign involved a backdoor named “Grager”, used against organizations in Taiwan, Hong Kong, and Vietnam. This malware utilized Microsoft’s Graph API to communicate with its command and control server hosted on Microsoft OneDrive. Attackers created a malicious domain mimicking 7-Zip software to redirect victims, showcasing a stealthy infection chain.
Symantec’s research connected Grager to a group known as UNC5330, suspected of having ties to the Chinese government. The malware dropped a trojanized version of 7-Zip, which installed additional malicious components, including Tonerjam and the Grager backdoor.
In March, Symantec identified another backdoor under development, named “Moon_Tag”. This malware, attributed to a Chinese-speaking group, also communicated via the Graph API. More recently, a backdoor called Onedrivetools was deployed against IT services firms in the US and Europe. This malware used OneDrive for command and control, and GitHub for payload delivery, further highlighting the use of cloud services for malicious activities.
Cloud storage lockers from Microsoft and Google used to store and spread state-sponsored malware https://t.co/euWYf8hUrN pic.twitter.com/Bu4j9GgR8j
— Eric Vanderburg (@evanderburg) August 8, 2024
Symantec also noted the use of Whipweave, a tunneling tool suspected to be built on the Chinese VPN Free Connect (FCN) project. This tool connects to the Orbweaver Operational Relay Box (ORB) network to obfuscate malicious traffic.
Elias warned that the trend of nation-state APT groups using cloud services for stealthy campaigns is likely to grow due to its benefits. Symantec has published indicators of compromise and MITRE tactics, techniques, and procedures to aid network defenders.
As attackers continue to exploit legitimate cloud services, vigilance and robust security measures are essential for protection.
Abdul Rehman
Abdul is a tech-savvy, coffee-fueled, and creatively driven marketer who loves keeping up with the latest software updates and tech gadgets. He's also a skilled technical writer who can explain complex concepts simply for a broad audience. Abdul enjoys sharing his knowledge of the Cloud industry through user manuals, documentation, and blog posts.
