ATK116

Presumed Origin: < Back

Alias: Cloud Atlas, Inception group

ATK116 (aka: Cloud Atlas) is a cyber espionage group active since at least 2007, focusing on governmental agencies around the world. This group is known for the Operation Red October targeting governmantal agencies (embassies), research, energy, aerospace and military in a wide range a countries, mostly in Russia, Western and Eastern Europe, Central Asia, South America and Africa. This group seems to have Russian-speaking origins.

 

This group used a large CnC network of infected machines and dozens of domain names working as a chain of proxies to hide the attacker's location. Cloud Atlas is able to target mobile devices, network equipement and removable disk drives increasing the quantity of sensitive data accessible. They use multiples exploits but not 0-days which can be interpreted as a lack of ressources.

 

Cloud Atlas created the Inception framwork. A sophisticated framework able to launch multiple modules allowing the group to adapt to its target. This framework is still used in 2019.

 

After the Kaspersky disclosure in 2013, the group hid and then reappeared in 2014 with the "Cloud Atlas" malware. This behaviour will be repeated thereafter in 2014 after the publication of Symantec. The group improved its C2 infrastructure in 2014 by using cloud services which have the advantage to not being blacklisted and use encrypted communication protocols. They can also use compromised router as proxies to hide their origin.

 

According to DomainTools the ATK116 group (Inception, Cloud Atlas) was active in October-November 2020 in the conflict between Azerbaijan and Armenia in Nagorno-Karabakh with an espionage campaign based on the use of a decoy article entitled: "Armenia transfers YPG/PKK terrorists to occupied area to train militias against Azerbaijan" .

 

REFERENCES

Target sector

  • Aerospace
  • Energy
  • Government and administration agencies
  • Military
  • Research

Target countries

  • Afghanistan
  • Armenia
  • Azerbaijan
  • Belarus
  • Belgium
  • France
  • Greece
  • India
  • Iran, Islamic Republic Of
  • Italy
  • Kazakhstan
  • Morocco
  • Pakistan
  • Russian Federation
  • Saudi Arabia
  • Slovenia
  • Turkey
  • Turkmenistan
  • Uganda
  • Ukraine
  • United Arab Emirates
  • United Kingdom Of Great Britain And Northern Ireland
  • United States Of America
  • Viet Nam

Attack pattern

  • T1003 - Credential Dumping
  • T1022 - Data Encrypted
  • T1025 - Data from Removable Media
  • T1032 - Standard Cryptographic Protocol
  • T1046 - Network Service Scanning
  • T1056 - Input Capture
  • T1060 - Registry Run Keys / Startup Folder
  • T1065 - Uncommonly Used Port
  • T1071 - Standard Application Layer Protocol
  • T1082 - System Information Discovery
  • T1086 - PowerShell
  • T1091 - Replication Through Removable Media
  • T1107 - File Deletion
  • T1112 - Modify Registry
  • T1113 - Screen Capture
  • T1114 - Email Collection
  • T1140 - Deobfuscate/Decode Files or Information
  • T1192 - Spearphishing Link
  • T1193 - Spearphishing Attachment
  • T1214 - Credentials in Registry

Motivation

  • Espionage

Malwares

  • Inception framework
  • POWERSHOWER
  • VBShower

Vulnerabilities

  • CVE-2009-3129
  • CVE-2010-3333
  • CVE-2011-3544
  • CVE-2012-0158
  • CVE-2012-1856
  • CVE-2014-1761
  • CVE-2017-11882
  • CVE-2018-0802