Bringing cybersecurity globally to critical and complex key activities
ATK116 (aka: Cloud Atlas) is a cyber espionage group active since at least 2007, focusing on governmental agencies around the world. This group is known for the Operation Red October targeting governmantal agencies (embassies), research, energy, aerospace and military in a wide range a countries, mostly in Russia, Western and Eastern Europe, Central Asia, South America and Africa. This group seems to have Russian-speaking origins.
This group used a large CnC network of infected machines and dozens of domain names working as a chain of proxies to hide the attacker's location. Cloud Atlas is able to target mobile devices, network equipement and removable disk drives increasing the quantity of sensitive data accessible. They use multiples exploits but not 0-days which can be interpreted as a lack of ressources.
Cloud Atlas created the Inception framwork. A sophisticated framework able to launch multiple modules allowing the group to adapt to its target. This framework is still used in 2019.
After the Kaspersky disclosure in 2013, the group hid and then reappeared in 2014 with the "Cloud Atlas" malware. This behaviour will be repeated thereafter in 2014 after the publication of Symantec. The group improved its C2 infrastructure in 2014 by using cloud services which have the advantage to not being blacklisted and use encrypted communication protocols. They can also use compromised router as proxies to hide their origin.
According to DomainTools the ATK116 group (Inception, Cloud Atlas) was active in October-November 2020 in the conflict between Azerbaijan and Armenia in Nagorno-Karabakh with an espionage campaign based on the use of a decoy article entitled: "Armenia transfers YPG/PKK terrorists to occupied area to train militias against Azerbaijan" .
REFERENCES
Global Research & Analysis Team, Kaspersky Lab, ‘“Red October” Diplomatic Cyber Attacks Investigation’, Kaspersky (Securelist), 14 January 2013, https://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740/.
Global Research & Analysis Team, Kaspersky Lab, ‘“Red October” – Part Two, the Modules’, Kaspersky (Securelist), 17 January 2013, https://securelist.com/red-october-part-two-the-modules/57645/.
Global Research & Analysis Team, Kaspersky Lab, ‘Cloud Atlas: RedOctober APT Is Back in Style’, Kaspersky (Securelist), 10 December 2014, https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/.
Threat Hunter Team and Network Protection Security Labs, ‘Inception Framework: Alive and Well, and Hiding Behind Proxies’, Symantec (Broadcom), 14 March 2018, https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies.
Tom Lancaster, ‘Inception Attackers Target Europe with Year-Old Office Vulnerability’, Palo Alto Networks (Unit42) (blog), 5 November 2018, https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/.
Global Research & Analysis Team, Kaspersky Lab, ‘Recent Cloud Atlas Activity’, Kaspersky (Securelist), 12 August 2019, https://securelist.com/recent-cloud-atlas-activity/92016/.
Joe Slowik, ‘Current Events to Widespread Campaigns: Pivoting from Samples to Identify Activity’, DomainTools, 20 November 2020, https://www.domaintools.com/resources/blog/current-events-to-widespread-campaigns-pivoting-from-samples-to-identify.