T1567.002 · exfiltration · 21 actors · 10 correlated reports

Exfiltration to Cloud Storage

Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet. Examples of cloud storage services include Dropbox and Google Docs. Exfiltration to these cloud storage services can provide a significant amount of cover to the adversary if hosts within the network are already communicating with the service.

Open detection, hunting, mitigation, and evidence workspace

Detection logic

Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server) to known cloud storage services. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. User behavior monitoring may help to detect abnormal patterns of activity.

Observed actors

Indrik Spider
G0119Kimsuky
G0094HAFNIUM
G0125FIN7
G0046ZIRCONIUM
G0128Scattered Spider
G1015Akira
G1024POLONIUM
G1005Confucius
G0142Leviathan
G0065Turla
G0010Cinnamon Tempest
G1021Chimera
G0114Ember Bear
G1003ToddyCat
G1022LuminousMoth
G1014Lazarus Group
G0032Earth Lusca
G1006Wizard Spider
G0102HEXANE
G1001Threat Group-3390
G0027

Correlated CTI and IR reports

Hamas affiliate Ashen Lepus uses new malware suite AshTag
Unit 42 · direct source mappingStryker Handala MOIS and MuddyWater: Full Kill Chain and Unified Detection Pack v3
ThreatHunter.ai · direct source mappingCTI Research: Handala Hack Group (aka Handala Hack Team)
1200km CTI repository · explicit report mentionCTI Research: Handala Hack Group (aka Handala Hack Team)
1200km CTI repository · explicit report mentionDefensive Cyber Threat Intelligence Report: Israeli Critical Infrastructure and Geopolitical Escalation (2024-2026)
Israel Threat Actors CTI · explicit report mentionFrom Threat Intelligence to Detection: A Practitioner's Guide
1200km CTI repository · explicit report mentionOilRig (APT34 / Helix Kitten / Earth Simnavaz etc)
Israel Threat Actors CTI · explicit report mentionCTI Research Handala Hack Group aka Handala Hack Team
1200km Medium · authored report mentionFrom Threat Intelligence to Detection A Practitioner s Guide
1200km Medium · authored report mentionSingle Event Detection Rules in Cybersecurity
1200km Medium · authored report mention

Continue the investigation

Interactive ThreatMapper ThreatMapper documentation CTI Analyst Field Manual Israel Threat Actors CTI Anomaly Detection Atlas ITDR Handbook 1200km Medium research