Jul 19, 2022 - Technology

Russian state hackers’ new battleground: the cloud

Illustration of a hand in gloves and a winter jacket on a computer mouse

Illustration: Sarah Grillo/Axios

The Russian hackers who breached dozens of U.S. government agencies in the 2020 SolarWinds incident are using a new technique involving Google Drive and Dropbox to break into diplomatic offices in other countries.

Driving the news: Cozy Bear, the Russian state-sponsored hacking group, shared malware-infected files with foreign embassies in Brazil and Portugal in May using Dropbox or Google Drive storage, researchers at Palo Alto Networks said in a report Tuesday.

  • Right now, it’s unclear whether the attacks succeeded.

Why it matters: The findings mark an expansion in Russian state hackers’ abuse of cloud services as Russia’s Ukraine invasion creates new concerns over their activity.

  • It’s the first time Palo Alto Networks’ researchers have spotted Cozy Bear targeting Google Drive, specifically, and it builds on Cozy Bear’s newer interest in abusing Dropbox tools.

Details: In the report, Palo Alto Networks’ threat intelligence team says it tracked three known phishing attempts that relied on Dropbox and Google’s cloud storage systems, two against embassies in Portugal and another in Brazil.

  • Cozy Bear hackers sent the embassies a phishing email disguised to look like a document containing the agenda for an upcoming meeting with a foreign ambassador.
  • If recipients clicked on the link, they’d be redirected to either Dropbox or Google Drive, where they’d download the file onto their devices.
  • Victims who opened that file would start a download onto their computers that gives hackers a backdoor onto the system — allowing them to later launch malware at any moment.
  • Researchers also shared this information with both Google and Dropbox and said in the report that the two companies have blocked the activity.

The big picture: Russian nation-state hackers, or those working on behalf of government organizations, have been steadily finding new ways to break into cloud services as more companies adopted those tools during the pandemic.

  • In October, Microsoft warned that the same Russian hacking group had been targeting tech resellers and other service providers that “customize, deploy and manage” cloud services with the hopes of piggybacking to gain access to a company’s cloud network.
  • Palo Alto Networks’ report also comes as Western governments prepare for a possible onslaught of Russian cyberattacks in retaliation for their support of Ukraine.

Editor's note: We've deleted a sentence from this story that incorrectly suggested both Brazil and Portugal were negotiating to reduce Russian energy imports at the time of the hacks. Portugal was, but Brazil was seeking to increase those imports.

Go deeper