Chimera Group Now Targeting Cloud Services

Chimera with a wide set of interests

• The researchers analyzed the overlap between the various incidents in infrastructure and capabilities and reported that the Chimera group was carrying out intrusions across multiple victims operating in Chinese interests.
• The group has targeted a wide range of data from intellectual property in the high-tech sector to PNR data from the airline industry.
• Chimera has relied on credential theft and password spraying to deploy Cobalt Strike for remote access and command and control.
• In addition, the group has been using cloud storage web services such as Dropbox, Google Drive, and OneDrive and remote services such as VPN and Citrix, and a few specific tools named PsLogList, NtdsAudit, and Mimikatz.
• The group’s main objective is to exfiltrate sensitive data from the victim’s networks and check for new data of interest and user accounts.

Recent attacks involving cloud services

• Recently, the North Korean APT group APT37 was seen distributing a cloud-based RAT variant of RokRat to steal data from a victim’s machine and send them to cloud services.
• In late December, Russian hackers compromised Microsoft Cloud customers and stole emails from at least one private sector company.

To sum it up