Cyber-espionage group Cloud Atlas targets Russia and its supporters
A monument commemorating the Second World War in Transnistria, a de facto independent republic considered part of Moldova by the United Nations. Image: Karen Grigorean/Unsplash
Daryna Antoniuk December 13, 2022

Cyber-espionage group Cloud Atlas targets Russia and its supporters

Daryna Antoniuk

December 13, 2022

Cyber-espionage group Cloud Atlas targets Russia and its supporters

The cyber-espionage group Cloud Atlas has ramped up activities targeting Russia, Belarus and disputed parts of Ukraine and Moldova since Russia’s invasion this year, according to a new report.

The group has been active since 2014, according to research published by Check Point last week, but since the outbreak of the war in Ukraine it has mainly attacked “high profile victims” in Russia, Belarus, Transnistria (a pro-Kremlin breakaway region of Moldova), and Russian-annexed territories of Ukraine, including Crimea, Luhansk, and Donetsk.

The goals of the group are espionage and theft of confidential information, according to researchers from Positive Technologies. It is not yet clear who is behind the group.

Cloud Atlas has stuck with its “simple but effective” methods, which haven’t changed over time, according to Check Point. The group uses so-called template injection attacks that abuse features in Microsoft Word to deliver malicious payloads to victims. The documents are usually crafted for a particular target, which makes them almost undetectable.

The researchers found evidence that in June the group carried out several successful intrusions into Russian-speaking organizations, which were discovered only after the attackers already had full access to the entire network, including the domain controller.

How Cloud Atlas attacks

Before the war in Ukraine, Cloud Atlas mostly targeted ministries, diplomatic entities, and industrial facilities in Asia and Europe, according to Check Point. Its targets also included government agencies in Azerbaijan, Turkey and Slovenia, Positive Technologies found.

Cloud Atlas typically uses phishing emails with malicious attachments to gain initial access to the victim’s computer. These documents are carefully crafted to mimic government statements, media articles, business proposals, or advertisements.

The .DOC format may not be flagged as malicious by antivirus software, according to Positive Technologies, as the document itself only contains a link to the template with an exploit. This template is automatically downloaded from the remote server when the document is opened.

Examples of phishing letters targeting Belarussian entities (Image: Check Point)

The hackers mostly use public email services like Yandex, Mail.ru and Outlook.com, but sometimes they spoof existing domains from other organizations that the victim is likely to trust. For example, during one of the recent attacks, hackers disguised themselves as writing on behalf of the popular Russian news media outlet Lenta.ru.

Flow chart of the identified attack chains (Image: Positive Technologies)

Most of the phishing letters are related to current geopolitical issues in the target countries. In March and April of this year, for example, Cloud Atlas targeted Transnistria amid fears that Russia would try to expand its control over the territory to attack Ukraine from the west. 

In Belarus, Cloud Atlas mostly targeted transportation and military radio-electronics industries, and in Russia it focused on the government sector and energy facilities. 

Countries targeted by Cloud Atlas in 2019 (Image: Securelist)

The attackers closely control who can access their malicious attachments by whitelisting the targets. To collect the IP information of the victims, Cloud Atlas first sent them reconnaissance documents, which do not contain any malicious files aside from fingerprinting the victim, according to Check Point.

The researchers from Positive Technologies noted the absence of any publicly available information about the recipients, “which could indicate a well-prepared attack.”

“We predict that the group will continue to operate, increasing the complexity of its tools and attack techniques due to the fact that it has once again attracted the attention of researchers,” they said.

Daryna Antoniuk is a freelance reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.