"Russian Hacking Unit Cozy Bear Adds Google Drive to Its Arsenal, Researchers Say"
Security researchers at Palo Alto Networks’ Unit 42 threat intelligence team found that the state-backed Russian hacking team behind some of the biggest digital intrusions in recent years has been using both Google Drive and Dropbox to deliver malware against a range of targets. The researchers stated that the Russian Foreign Intelligence Service (SVR) hacking unit, generally known as APT29, Nobelium, or Cozy Bear, had previously used legitimate cloud services such as Dropbox as part of malware delivery efforts. But in a series of spear phishing attacks dating back to early May, the hackers have demonstrated “sophistication and the ability to rapidly integrate popular cloud storage services to avoid detection,” most notably by mixing Google Drive’s cloud storage services into their mix. The researchers stated that this is a new tactic for this actor and one that proves challenging to detect due to the ubiquitous nature of these services and the fact that they are trusted by millions of customers worldwide. The researchers noted that when the use of trusted services is combined with encryption, it becomes extremely difficult for organizations to detect malicious activity in connection with the campaign. The researchers noted that Dropbox and other cloud and web services such as the project management app Trello and Google’s Firebase app development platform aren’t new to the APT29 playbook, but adding Google Drive brings an additional layer of threat.