Researchers with NCC Group and Fox-IT have recently published a report related to a threat actor who has remained undetected for up to three years. Dubbed Chimera, the threat group has been abusing Microsoft and Google cloud services with the goal of exfiltrating data across a broad range of target organizations.
Chimera with a wide set of interests
The report detailed various incident response engagements related to the Chimera group between October 2019 and April 2020.
- The researchers analyzed the overlap between the various incidents in infrastructure and capabilities and reported that the Chimera group was carrying out intrusions across multiple victims operating in Chinese interests.
- The group has targeted a wide range of data from intellectual property in the high-tech sector to PNR data from the airline industry.
- Chimera has relied on credential theft and password spraying to deploy Cobalt Strike for remote access and command and control.
- In addition, the group has been using cloud storage web services such as Dropbox, Google Drive, and OneDrive and remote services such as VPN and Citrix, and a few specific tools named PsLogList, NtdsAudit, and Mimikatz.
- The group’s main objective is to exfiltrate sensitive data from the victim’s networks and check for new data of interest and user accounts.
Recent attacks involving cloud services
- Recently, the North Korean APT group APT37 was seen distributing a cloud-based RAT variant of RokRat to steal data from a victim’s machine and send them to cloud services.
- In late December, Russian hackers compromised Microsoft Cloud customers and stole emails from at least one private sector company.
To sum it up
Cloud services are being increasingly targeted and the fact that attackers more often than not fly under the radar points to sophisticated intrusion tactics and techniques. In addition, targeting data that is very useful and important for nation-states indicates that the Chimera group may be planning to take its scope of attacks to much broader levels.