Names | Inception Framework (Symantec) Cloud Atlas (Kaspersky) Oxygen (Microsoft) ATK 116 (Thales) Blue Odin (PWC) The Rocra (?) Clean Ursa (Palo Alto) | |
Country | Russia | |
Motivation | Information theft and espionage | |
First seen | 2012 | |
Description | (Symantec) Researchers from Blue Coat Labs have identified the emergence of a previously undocumented attack framework that is being used to launch highly targeted attacks in order to gain access to, and extract confidential information from, victims’ computers. Because of the many layers used in the design of the malware, we’ve named it Inception—a reference to the 2010 movie “Inception” about a thief who entered peoples’ dreams and stole secrets from their subconscious. Targets include individuals in strategic positions: Executives in important businesses such as oil, finance and engineering, military officers, embassy personnel and government officials. The Inception attacks began by focusing on targets primarily located in Russia or related to Russian interests, but have since spread to targets in other locations around the world. The preferred malware delivery method is via phishing emails containing trojanized documents. • Initially targeted at Russia, but expanding globally • Masterful identity cloaking and diversionary tactics • Clean and elegant code suggesting strong backing and top-tier talent • Includes malware targeting mobile devices: Android, Blackberry and iOS • Using a free cloud hosting service based in Sweden for command and control | |
Observed | Sectors: Aerospace, Defense, Embassies, Energy, Engineering, Financial, Government, Oil and gas, Research. Countries: Afghanistan, Armenia, Austria, Azerbaijan, Belarus, Belgium, Brazil, Congo, Cyprus, France, Georgia, Germany, Greece, India, Indonesia, Iran, Italy, Jordan, Kazakhstan, Kenya, Kyrgyzstan, Lebanon, Lithuania, Malaysia, Moldova, Morocco, Mozambique, Oman, Pakistan, Paraguay, Portugal, Qatar, Romania, Russia, Saudi Arabia, Slovenia, South Africa, Suriname, Switzerland, Tajikistan, Tanzania, Turkey, Turkmenistan, Uganda, Ukraine, UAE, USA, Uzbekistan, Venezuela, Vietnam. | |
Tools used | Inception, Lastacloud, PowerShower, VBShower and many 0-day exploits. | |
Operations performed | Oct 2012 | Operation “RedOctober” In October 2012, Kaspersky Lab’s Global Research & Analysis Team initiated a new threat research after a series of attacks against computer networks of various international diplomatic service agencies. A large scale cyber-espionage network was revealed and analyzed during the investigation, which we called “Red October” (after famous novel “The Hunt For The Red October”). <https://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740/#8> |
May 2014 | Hiding Behind Proxies Since 2014, Symantec has found evidence of a steady stream of attacks from the Inception Framework targeted at organizations on several continents. As time has gone by, the group has become ever more secretive, hiding behind an increasingly complex framework of proxies and cloud services. <https://www.symantec.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies> | |
Aug 2014 | Operation “Cloud Atlas” In August 2014, some of our users observed targeted attacks with a variation of CVE-2012-0158 and an unusual set of malware. We did a quick analysis of the malware and it immediately stood out because of certain unusual things that are not very common in the APT world. <https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/> | |
Oct 2018 | This blog describes attacks against European targets observed in October 2018, using CVE-2017-11882 and a new PowerShell backdoor we’re calling POWERSHOWER due to the attention to detail in terms of cleaning up after itself, along with the malware being written in PowerShell. <https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/> | |
2019 | During its recent campaigns, Cloud Atlas used a new “polymorphic” infection chain relying no more on PowerShower directly after infection, but executing a polymorphic HTA hosted on a remote server, which is used to drop three different files on the local system. <https://securelist.com/recent-cloud-atlas-activity/92016/> | |
Feb 2022 | Cloud Atlas targets entities in Russia and Belarus amid the ongoing war in Ukraine <https://research.checkpoint.com/2022/cloud-atlas-targets-entities-in-russia-and-belarus-amid-the-ongoing-war-in-ukraine/> | |
Dec 2023 | Cyber-espionage group Cloud Atlas targets Russian companies with war-related phishing attacks <https://therecord.media/cloud-atlas-targets-russian-orgs-war-phishing> | |
Information | <https://www.symantec.com/connect/blogs/blue-coat-exposes-inception-framework-very-sophisticated-layered-malware-attack-targeted-milit> <https://www.akamai.com/uk/en/multimedia/documents/white-paper/upnproxy-blackhat-proxies-via-nat-injections-white-paper.pdf> | |
MITRE ATT&CK | <https://attack.mitre.org/groups/G0100/> | |
Playbook | <https://pan-unit42.github.io/playbook_viewer/?pb=clean-ursa> |
Last change to this card: 10 March 2024
Digital Service Security Center Follow us on |
Report incidents |
|
+66 (0)2-123-1227 | ||
[email protected] |