Cloud Atlas group attacks Russia with war-related phishing emails

The notorious state-sponsored hacking group Cloud Atlas has an ongoing cyberespionage campaign that targets Russian organisations. Based on reports, the campaign leverages war-related phishing operations to compromise targeted entities.

The group, operational since 2014, is notorious for infiltrating organisations in Russia, Belarus, Azerbaijan, Turkey, and Slovenia. Moreover, their latest campaign has focused on a Russian agro-industrial enterprise and a state-owned research company, employing phishing emails as their primary attack strategy.

The researchers revealed the details of the phishing emails used by the attackers to compromise their targeted industries.

 

Cloud Atlas targets soldiers who participate in the ongoing geopolitical conflict between Russia and Ukraine.

 

The Cloud Atlas threat group disseminated the phishing email that posed as postcards to soldiers involved in the conflict in Ukraine and their family members. The hackers use the term “SVO” (special military operation) to increase the legitimacy of the attacks. The attackers also distributed a second email that focused on changes in military reserve laws.

Both emails originated from addresses on popular Russian email services, yandex.ru and mail.ru. The malicious attachments in these emails exploited the CVE-2017-11882 vulnerability in Microsoft Office.

Microsoft has already fixed the flaw in 2017, but hackers still exploit the bug. Successful exploitation of this flaw allows the hackers to operate arbitrary code with the user’s privileges, potentially gaining complete control over the victim’s system.

This revelation follows a December cybercriminal incident that also targets the earlier-mentioned country, indicating Cloud Atlas’s increased focus on “high profile victims” in Russia and neighbouring regions. The group specialises in espionage and information theft, yet its sponsor remains unidentified.

Furthermore, Cloud Atlas commonly relies on meticulously crafted phishing emails with malicious attachments to acquire initial access to victims’ computers. These documents mimic government statements, media articles, business proposals, or advertisements, demonstrating the group’s sophisticated approach.

The attackers apply tight control over access to their malicious attachments, whitelisting specific targets. Cloud Atlas also sends documents that don’t contain malicious files but serve to fingerprint the victim, collecting crucial IP information as part of their reconnaissance.

Russian security experts are on high alert since the group has been rampaging against various organisations in the country. However, researchers believe that these attacks will persist as long as the geopolitical conflict between Russia and Ukraine continues.