The Role of Cloud Services in the Hybrid War in Ukraine

Written by

Since the beginning of 2022, particularly in the days that preceded the Russian invasion, there has been a significant escalation in the number of reported cyber events against multiple Ukrainian targets, including government agencies, NGOs, critical infrastructures and the wider population.

This wave of cyber-attacks, primarily carried out by threat actors with suspected ties to the Russian and Belarusian governments, is characterizing this new hybrid warfare model and is continuing relentlessly with more campaigns unearthed daily.

ColdriverTurla,  Armagedon and UAC-0041 are some examples of Russian-speaking threat actors who launched cyber-espionage campaigns against Ukrainian targets that were unearthed only in July. The same can be said about the Belarusian groups, who were equally active during the past few months. In their latest known operation, the threat actor known as Ghostwriter targeted Ukrainian civilians by spoofing humanitarian information on evacuation procedures. 

All of the above groups are well-known for being driven by cyber-espionage motivations. However, what is also interesting to note in this spate of attacks is that some Russian-speaking threat actors, historically focused on cybercrime, have decided to re-modulate their objectives, jumping on the cyber-espionage bandwagon and launching targeted operations against Ukrainian targets. That's the case with the TrickBot gang, which conducted at least six such campaigns between mid-April and mid-June of 2022.

Such a large number of operations in a relatively short period of time requires an agile malicious infrastructure, and this probably explains why even state-sponsored threat actors are increasingly exploiting cloud services in one or more stages of the kill chain. Not only do cloud apps offer a flexible, resilient and ready-to-use platform to deliver malicious content, but they are also trusted by individuals and organizations, which often means that the corresponding traffic is bypassed.

It all Started with Discord

Infosec professionals may recall that the Russian invasion was anticipated in mid-January when a large-scale attack was carried out in Ukraine via a destructive malware dubbed WhisperGate. The delivery mechanism of WhisperGate used a multi-stage payload, one of which was hosted on Discord. Initially conceived as an instant messaging platform for gamers, Discord has quickly gained growing popularity among threat actors, who abuse its content delivery network (CDN) to host and distribute malicious payloads without any restrictions.

Although the WhisperGate attack is remarkable, it's not the only example of Discord being abused to launch a campaign in Ukraine. In March 2022, the Ukrainian Computer Emergency Response Team (CERT-UA) warned of a phishing campaign orchestrated by a threat actor dubbed UAC-0056, which impersonated government bodies to trick users into downloading a fake Bitdefender update. And here comes Discord again! When executed, the fake antivirus update downloaded two additional artifacts from Discord: a Cobalt Strike beacon and an additional dropper, which led to the download and installation of two additional backdoors: GraphSteel and GrimPlant.

… And Continued with OneDrive

These campaigns confirm that delivering a malicious payload from a cloud service is now a consolidated modus operandi for both opportunistic cyber-criminals and state-sponsored threat actors. According to Netskope's Cloud and Threat Report: Global Cloud and Web Malware Trends report, between April 2021 and March 2022, 47% of all malware downloads came from cloud apps rather than traditional websites. Despite the growing popularity of Discord, Microsoft OneDrive continues to firmly hold the scepter of the most popular cloud service exploited by threat actors for malware download. 

Among the campaigns discovered in July, I have mentioned one carried out by the Russian-speaking threat actor named Coldriver. This targeted operation, discovered in July by Google's Threat Analysis Group, was aimed at different entities in Ukraine, including government and defense officials, politicians, NGOs, think tanks and journalists. Two well-known and familiar cloud storage services played an important role in these operations as the attackers used phishing emails containing links to bait documents (PDFs and/or DOCs) hosted on Microsoft OneDrive and Google Drive.

Another campaign unearthed in July by CERT-UA and carried out by a threat cluster named UAC-0041 deployed a similar attack chain with phishing emails delivering the RelicRace .NET downloader in disguise of a "Final Payment" notification. Once again, unsurprisingly, the RelicRace downloader, when executed, downloaded the RelicSource malware from OneDrive, which eventually led to the installation of the Formbook and Snake information stealers.

What's Happening Next?

Of course, Discord and OneDrive (and Google Drive) are not the only cloud services weaponized by state-sponsored threat actors. Dropbox is another cloud storage app that has gained popularity among advanced adversaries. The infamous APT29, tied with Russia's Foreign Intelligence Service (SVR), exploited this cloud storage service as part of an operation targeting several Western diplomatic missions and foreign embassies between May and June 2022. Charming Kitten, an advanced group from Iran, has also exploited the same service to host a bait document as part of a campaign that has been active since February 2022 and aimed to redirect the victims, predominantly US media organizations and journalists with a focus on the Russia-Ukraine war, to a credential harvesting domain.

Clearly, the rush to exploit cloud services by advanced threat actors continues, and the campaigns with direct or indirect links to the Russia-Ukraine war are just the tip of the iceberg. Cloud service providers (CSPs) usually are extremely reactive in taking down malicious domains once notified by security researchers, and some are raising the bar by implementing proactive countermeasures. However, the mitigation of cloud-native threats can't only be delegated to the CSPs. Businesses and governments must adjust their approaches, such as avoiding the implicit trust of legitimate cloud services. This can be achieved by adopting a cloud-delivered security platform that understands the APIs, the new language of the web, and enables the enforcement of granular policies in terms of instance-based adaptive access control, threat protection and DLP.  

What’s hot on Infosecurity Magazine?