The Recent Example of APT43
In recent years, the targeting of cloud services has emerged as a significant threat to cybersecurity. A compelling case is the recent campaign by APT43, a notorious threat actor aligned with North Korea. This group, known for its focus on cyber espionage, has been targeting individuals in the security sector in South Korea.
APT43’s Campaign and Tactics
APT43 has a history of cyber espionage against various sectors, including governments, business services, manufacturing, education, research, and think tanks focusing on geopolitical and nuclear policy. Their primary targets include South Korea, Japan, Europe, and the United States. While primarily focused on espionage, APT43 also engages in cybercrime to fund its operations.
The group employs sophisticated and evasive attack chains using legitimate cloud services. One recent campaign involved a social engineering trap: an email invite purportedly from the Korean Embassy in China, requesting attendance at a closed-door policy meeting. The initial payload, disguised as a meeting plan document, was delivered through links to Google Drive and Microsoft OneDrive, demonstrating a clever use of cloud services to bypass the Great Firewall of China and simplify operational tasks.
Using cloud storage services offers attackers several advantages, such as resilient infrastructure and effective concealment of malicious traffic within legitimate sessions. This tactic becomes even more effective when using compromised legitimate accounts, making it difficult for targeted organizations to detect the malicious payloads.
In this campaign, APT43 did not stop at the initial payload delivery. They exploited another legitimate service, Dropbox, to host and deliver the Babyshark malware, a multi-stage attack that underscores the effectiveness of using cloud services for cyber espionage.
The Broader Implications
This example highlights how legitimate services can be exploited to create additional layers of evasion. Unfortunately, there are many ways to abuse these services in both cybercrime and cyberespionage operations.
The Iranian UNC1549 Case Study
Another illustrative case is the campaign by UNC1549, linked to Iran’s Islamic Revolutionary Guard Corps (IRGC). Since January 2022, this group has targeted the aerospace, aviation, and defense industries in the Middle East.
UNC1549’s Campaign and Tactics
UNC1549 used 125 Azure C2 subdomains to host its command and control (C2) infrastructure. The widespread use of Azure infrastructure makes it challenging to distinguish malicious activity from legitimate network traffic. Additionally, some servers were geolocated in the targeted countries (Israel and the UAE), further disguising the malicious activities.
The attackers added legitimacy to their campaign by using domain names that appeared legitimate to their victims, incorporating strings related to countries, organizations, languages, or sector-specific descriptions. Using a cloud service, which does not require domain registration, provided attackers with more flexibility and creativity in their malicious endeavors.
Conclusion
The targeting of cloud services by state-sponsored groups like APT43 and UNC1549 demonstrates a significant threat to cybersecurity. These campaigns exploit the advantages of legitimate cloud services, such as resilience and concealment, making detection and prevention more challenging for security professionals. As the use of cloud services continues to grow, so too will the need for robust security measures to protect against these sophisticated and evasive attack strategies.