New group exploits public cloud services to spy on Russian agencies, Kaspersky says
Researchers say they have discovered a new hacker group, dubbed CloudSorcerer, that uses “a sophisticated cyberespionage tool” to steal data from Russian government agencies.
The activity was first spotted in May, and researchers at Kaspersky Lab say it is reminiscent of another advanced persistent threat (APT) known as CloudWizard, which targeted, among others, diplomatic and research organizations in Russian-occupied territories of Ukraine last year.
Given that the two groups use “completely different” malware code, Russia-based Kaspersky suggests that CloudSorcerer is likely a new actor, “possibly inspired” by CloudWizard’s techniques but developing its own “unique” tools.
Kaspersky didn’t disclose additional details about CloudSourcer’s targets, nor did it attribute the campaign to a specific country or government.
The custom malware uses GitHub as its initial command and control (C2) server, Kaspersky said. It also relies on legitimate cloud services such as Yandex Cloud and Dropbox for stealth monitoring and data collection.
The use of GitHub and cloud services “demonstrates a well-planned approach to cyberespionage,” researchers said.
CloudSorcerer’s malware is executed manually by the attacker on an already infected machine. It is composed of different modules — such as a communication module or data collection module — that can perform specific tasks independently.
The backdoor module, for example, collects various system information about the victim machine, such as the computer name, username, and system uptime.
The hackers can also collect information about the victims’ files and folders, copy, move, rename, or delete files, read data from any file, create and write data to any file, as well as run additional advanced functionalities such as creating a new Windows service or modifying the configuration of an existing one.
The malware’s ability to dynamically adapt its behavior based on the process it is running in, coupled with its use of complex communication through Windows, “highlights its sophistication,” Kaspersky said.
It is also not clear how the hackers gain initial access to the targeted networks and what country they are affiliated with.
Given that many Western companies left the Russian market when the Kremlin invaded Ukraine, the reports from Russian cyber firms offer a rare chance to learn about the cyber threats facing local companies.
In the case of CloudSorcerer, however, researchers at U.S.-based Proofpoint shared additional observations about the group.
On Monday, Proofpoint claimed to have observed in late May a campaign against a U.S.-based organization using an email account spoofing “a well-known” U.S. think tank organization with a fake event invitation as a lure.
“The activity observed overlaps with the details in the Kaspersky report,” researchers said. They attribute this activity to a cluster currently tracked as UNK_ArbitraryAcrobat.
Upon execution, its malware connects to specific online profiles on GitHub or TechNet to retrieve a chunk of data formatted in hexadecimal (base-16) representation — similar to what CloudSorcerer has done.
The GitHub profile discovered by Proofpoint contains the same CDOY markers — unique identifiers used to recognize and track malicious activity — that have been identified in research conducted by Kaspersky.
The Kaspersky report comes as the U.S. government continues to blacklist the company. In June, a dozen executives and senior leaders at Kaspersky were sanctioned by the U.S., and the use of its software is to be banned within the U.S. due to “long-standing national security and data privacy concerns.”
Daryna Antoniuk
is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.