Cyber Incident Victim: Cisco
Date:
May 2022
Location:
United States of America
Summary
Russian state-backed hackers associated with APT29 employed Google Drive and Dropbox to evade detection while targeting diplomatic entities globally. The group, linked to Russia's Foreign Intelligence Service, utilized these trusted cloud services for malware deployment and data exfiltration, aligning with geopolitical interests. Their tactics included leveraging adversarial simulation tools like Brute Ratel and deploying stealthy malware such as GoldMax and TrailBlazer. This activity followed prior supply-chain compromises, including the SolarWinds breach affecting U.S. government agencies, and continued targeting of IT supply chains through managed service providers.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 3 actors | Available to members | Available to members |
Description
In early May 2022, Russian state-backed hackers affiliated with the Foreign Intelligence Service (SVR) initiated cyberespionage campaigns targeting Western diplomatic missions and foreign embassies globally. The threat group APT29, also tracked as Cozy Bear, Nobelium, The Dukes, and Cloaked Ursa, adopted new evasion tactics by leveraging Google Drive’s cloud storage services for malware delivery and data exfiltration. This marked the first observed use of Google Drive by the group in their operations, exploiting the platform’s widespread trust and ubiquity to bypass security defenses. Unit 42 researchers identified these campaigns between early May and June 2022, noting the strategic alignment with Russian geopolitical interests. The hackers embedded malicious tools within legitimate cloud services, complicating detection efforts for network defenders. This approach followed earlier phishing campaigns documented by Mandiant in April 2022, which similarly focused on diplomatic entities and abused trusted web services for command-and-control infrastructure. APT29’s operations during this period demonstrated continuity with their historical targeting patterns, emphasizing stealth and persistence in compromised environments.
APT29’s activities in mid-2022 extended a years-long pattern of high-impact cyber operations linked to the SVR. The group gained notoriety for orchestrating the 2020 SolarWinds supply-chain attack, which compromised multiple U.S. federal agencies, including 27 U.S. Attorneys’ offices breached as late as July 2021. Following SolarWinds, APT29 deployed advanced malware such as the GoldMax Linux backdoor variant and the newly identified TrailBlazer malware, maintaining long-term access to victim networks. By May 2021, the group shifted focus to IT supply chains, compromising approximately 140 managed service providers (MSPs) and cloud service providers, leading to breaches at 14 downstream companies. Microsoft disclosed these intrusions in October 2021, highlighting the group’s adaptability in exploiting third-party vendors. Unit 42 additionally observed APT29 employing the Brute Ratel adversarial simulation tool in 2022, packaged using techniques consistent with their cloud-service abuse methodology. These operations underscored the group’s reliance on blending malicious activity with legitimate infrastructure to evade attribution and detection while advancing Russian intelligence objectives.