Threat Group Cards: A Threat Actor Encyclopedia

APT group: Inception Framework, Cloud Atlas

Names	Inception Framework (Symantec) Cloud Atlas (Kaspersky) Oxygen (Microsoft) ATK 116 (Thales) Blue Odin (PWC) The Rocra (?) Clean Ursa (Palo Alto)
Country	Russia
Motivation	Information theft and espionage
First seen	2012
Description	(Symantec) Researchers from Blue Coat Labs have identified the emergence of a previously undocumented attack framework that is being used to launch highly targeted attacks in order to gain access to, and extract confidential information from, victims’ computers. Because of the many layers used in the design of the malware, we’ve named it Inception—a reference to the 2010 movie “Inception” about a thief who entered peoples’ dreams and stole secrets from their subconscious. Targets include individuals in strategic positions: Executives in important businesses such as oil, finance and engineering, military officers, embassy personnel and government officials. The Inception attacks began by focusing on targets primarily located in Russia or related to Russian interests, but have since spread to targets in other locations around the world. The preferred malware delivery method is via phishing emails containing trojanized documents. • Initially targeted at Russia, but expanding globally • Masterful identity cloaking and diversionary tactics • Clean and elegant code suggesting strong backing and top-tier talent • Includes malware targeting mobile devices: Android, Blackberry and iOS • Using a free cloud hosting service based in Sweden for command and control
Observed	Sectors: Aerospace, Defense, Embassies, Energy, Engineering, Financial, Government, Oil and gas, Research. Countries: Afghanistan, Armenia, Austria, Azerbaijan, Belarus, Belgium, Brazil, Congo, Cyprus, France, Georgia, Germany, Greece, India, Indonesia, Iran, Italy, Jordan, Kazakhstan, Kenya, Kyrgyzstan, Lebanon, Lithuania, Malaysia, Moldova, Morocco, Mozambique, Oman, Pakistan, Paraguay, Portugal, Qatar, Romania, Russia, Saudi Arabia, Slovenia, South Africa, Suriname, Switzerland, Tajikistan, Tanzania, Turkey, Turkmenistan, Uganda, Ukraine, UAE, USA, Uzbekistan, Venezuela, Vietnam.
Tools used	Inception, Lastacloud, PowerShower, VBShower and many 0-day exploits.
Operations performed	Oct 2012	Operation “RedOctober” In October 2012, Kaspersky Lab’s Global Research & Analysis Team initiated a new threat research after a series of attacks against computer networks of various international diplomatic service agencies. A large scale cyber-espionage network was revealed and analyzed during the investigation, which we called “Red October” (after famous novel “The Hunt For The Red October”). <https://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740/#8>
	May 2014	Hiding Behind Proxies Since 2014, Symantec has found evidence of a steady stream of attacks from the Inception Framework targeted at organizations on several continents. As time has gone by, the group has become ever more secretive, hiding behind an increasingly complex framework of proxies and cloud services. <https://www.symantec.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies>
	Aug 2014	Operation “Cloud Atlas” In August 2014, some of our users observed targeted attacks with a variation of CVE-2012-0158 and an unusual set of malware. We did a quick analysis of the malware and it immediately stood out because of certain unusual things that are not very common in the APT world. <https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/>
	Oct 2018	This blog describes attacks against European targets observed in October 2018, using CVE-2017-11882 and a new PowerShell backdoor we’re calling POWERSHOWER due to the attention to detail in terms of cleaning up after itself, along with the malware being written in PowerShell. <https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/>
	2019	During its recent campaigns, Cloud Atlas used a new “polymorphic” infection chain relying no more on PowerShower directly after infection, but executing a polymorphic HTA hosted on a remote server, which is used to drop three different files on the local system. <https://securelist.com/recent-cloud-atlas-activity/92016/>
	Feb 2022	Cloud Atlas targets entities in Russia and Belarus amid the ongoing war in Ukraine <https://research.checkpoint.com/2022/cloud-atlas-targets-entities-in-russia-and-belarus-amid-the-ongoing-war-in-ukraine/>
	Dec 2023	Cyber-espionage group Cloud Atlas targets Russian companies with war-related phishing attacks <https://therecord.media/cloud-atlas-targets-russian-orgs-war-phishing>
Information	<https://www.symantec.com/connect/blogs/blue-coat-exposes-inception-framework-very-sophisticated-layered-malware-attack-targeted-milit> <https://www.akamai.com/uk/en/multimedia/documents/white-paper/upnproxy-blackhat-proxies-via-nat-injections-white-paper.pdf>
MITRE ATT&CK	<https://attack.mitre.org/groups/G0100/>
Playbook	<https://pan-unit42.github.io/playbook_viewer/?pb=clean-ursa>

Last change to this card: 10 March 2024

Download this actor card in PDF or JSON format