Cloud Atlas [1] [2] [3] [4] [5] [6], also known as Clean Ursa [3] [4], Inception [3] [4], Oxygen [3] [4], and Red October [3] [4], is a cyber espionage group that has been active since at least 2014. They have targeted Russian agro and research companies, as well as multiple countries including Russia, Belarus [3] [4], Azerbaijan [3] [4], Turkey [3] [4], and Slovenia [3] [4].
Description
Cloud Atlas has been linked to spear-phishing attacks on Russian agro and research companies [4] [6], including a Russian agro-industrial enterprise and a state-owned research company [2] [3]. This information comes from a report by F.A.C.C.T [2], a cybersecurity company [2]. The group’s attack sequences were detailed in December 2022, revealing the deployment of a PowerShell-based backdoor and DLL payloads [4] [5]. They exploit a memory corruption flaw in Microsoft Office to execute malicious payloads and use legitimate cloud storage and well-documented software features to avoid detection [1] [6]. Additionally, they exploit CVE-2017-11882 via RTF template injection and send malicious emails through popular Russian email services [4] [6]. Cloud Atlas has been described as a persistent and sophisticated threat actor that carefully plans its attacks and hides its malware from researchers. They have compromised at least 20 organizations in Russia using a modified version of Pupy RAT called Decoy Dog [1], allowing for remote control of infected hosts and transmission of telemetry data to an automated account on Mastodon [1]. The group’s origin remains unknown, but they have been active since at least 2014 and are known for their persistent campaigns targeting Russian enterprises [1] [5] [6]. Check Point and Positive Technologies detailed the group’s multi-stage attack sequences in December 2022 [5], which involve the deployment of a PowerShell-based backdoor and DLL payloads [4] [5]. The attacks start with a phishing message containing a lure document that exploits a six-year-old memory corruption flaw in Microsoft Office to execute malicious payloads [5]. The latest kill chain described by F.A.C.C.T is similar to the one described by Positive Technologies [5], with successful exploitation of the vulnerability paving the way for the download and execution of an obfuscated HTA file [5]. The emails used in the attacks originate from popular Russian email services [5]. Cloud Atlas has been described as a group that carefully plans their attacks and tries to hide their malware from researchers by using one-time payload requests and legitimate cloud storage [5].
Conclusion
Cloud Atlas poses a persistent and sophisticated threat [4], targeting Russian enterprises and organizations in multiple countries. Their use of advanced techniques, such as exploiting vulnerabilities in Microsoft Office and utilizing legitimate cloud storage, allows them to evade detection. Mitigating their attacks requires staying updated on security patches and being vigilant against phishing attempts. The group’s continued activity since 2014 suggests they will remain a significant threat in the future, emphasizing the need for ongoing cybersecurity measures.
References
[1] https://thehackernews.com/2023/12/cloud-atlas-spear-phishing-attacks.html
[2] https://www.linkedin.com/posts/wdevault_cloud-atlas-spear-phishing-attacks-target-activity-7144977158933786624-jZsS
[3] https://healsecurity.com/cloud-atlas-spear-phishing-attacks-target-russian-agro-and-research-companies/
[4] https://www.ihash.eu/2023/12/cloud-atlas-spear-phishing-attacks-target-russian-agro-and-research-companies/
[5] https://flyytech.com/2023/12/25/cloud-atlas-spear-phishing-attacks-target-russian-agro-and-research-companies/
[6] https://owasp.or.id/2023/12/25/cloud-atlas-spear-phishing-attacks-target-russian-agro-and-research-companies/
