May 2, 2024 at 06:08AM
Nation-state espionage is increasingly using Microsoft’s services for their command-and-control needs, finding it more economical and effective than maintaining their own infrastructure. For example, Symantec discovered “BirdyClient,” a malware leveraging Microsoft Graph to operate through OneDrive. Multiple groups, including APT37 and Cozy Bear, have used this technique, requiring organizations to be vigilant against unsanctioned cloud accounts.
From the meeting notes, it’s evident that nation-state espionage groups are increasingly using native Microsoft services to host their command-and-control operations. This approach allows attackers to blend in with legitimate network traffic and avoid the costs and complexities of maintaining their own infrastructure. Microsoft Graph, an API connecting to various data in Microsoft cloud services, has been exploited by several malware, such as BirdyClient, Bluelight, Backdoor.Graphon, Graphite, and SiestaGraph, to conduct C2 operations across different Microsoft services, especially OneDrive.
This trend has caught the attention of cybersecurity experts, who emphasize the need for organizations to be vigilant about the use of unsanctioned cloud accounts and to ensure that connections are to their own enterprise accounts. The rise of such attacks highlights the importance of tightening security measures in the face of evolving cyber threats.