ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > Inception Framework, Cloud Atlas

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Inception Framework, Cloud Atlas

NamesInception Framework (Symantec)
Cloud Atlas (Kaspersky)
Oxygen (Microsoft)
ATK 116 (Thales)
Blue Odin (PWC)
The Rocra (?)
Clean Ursa (Palo Alto)
CountryRussia Russia
MotivationInformation theft and espionage
First seen2012
Description(Symantec) Researchers from Blue Coat Labs have identified the emergence of a previously undocumented attack framework that is being used to launch highly targeted attacks in order to gain access to, and extract confidential information from, victims’ computers. Because of the many layers used in the design of the malware, we’ve named it Inception—a reference to the 2010 movie “Inception” about a thief who entered peoples’ dreams and stole secrets from their subconscious. Targets include individuals in strategic positions: Executives in important businesses such as oil, finance and engineering, military officers, embassy personnel and government officials. The Inception attacks began by focusing on targets primarily located in Russia or related to Russian interests, but have since spread to targets in other locations around the world. The preferred malware delivery method is via phishing emails containing trojanized documents.

• Initially targeted at Russia, but expanding globally
• Masterful identity cloaking and diversionary tactics
• Clean and elegant code suggesting strong backing and top-tier talent
• Includes malware targeting mobile devices: Android, Blackberry and iOS
• Using a free cloud hosting service based in Sweden for command and control
ObservedSectors: Aerospace, Defense, Embassies, Energy, Engineering, Financial, Government, Oil and gas, Research.
Countries: Afghanistan, Armenia, Austria, Azerbaijan, Belarus, Belgium, Brazil, Congo, Cyprus, France, Georgia, Germany, Greece, India, Indonesia, Iran, Italy, Jordan, Kazakhstan, Kenya, Kyrgyzstan, Lebanon, Lithuania, Malaysia, Moldova, Morocco, Mozambique, Oman, Pakistan, Paraguay, Portugal, Qatar, Romania, Russia, Saudi Arabia, Slovenia, South Africa, Suriname, Switzerland, Tajikistan, Tanzania, Turkey, Turkmenistan, Uganda, Ukraine, UAE, USA, Uzbekistan, Venezuela, Vietnam.
Tools usedInception, Lastacloud, PowerShower, VBShower and many 0-day exploits.
Operations performedOct 2012Operation “RedOctober”
In October 2012, Kaspersky Lab’s Global Research & Analysis Team initiated a new threat research after a series of attacks against computer networks of various international diplomatic service agencies. A large scale cyber-espionage network was revealed and analyzed during the investigation, which we called “Red October” (after famous novel “The Hunt For The Red October”).
<https://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740/#8>
May 2014Hiding Behind Proxies
Since 2014, Symantec has found evidence of a steady stream of attacks from the Inception Framework targeted at organizations on several continents. As time has gone by, the group has become ever more secretive, hiding behind an increasingly complex framework of proxies and cloud services.
<https://www.symantec.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies>
Aug 2014Operation “Cloud Atlas”
In August 2014, some of our users observed targeted attacks with a variation of CVE-2012-0158 and an unusual set of malware. We did a quick analysis of the malware and it immediately stood out because of certain unusual things that are not very common in the APT world.
<https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/>
Oct 2018This blog describes attacks against European targets observed in October 2018, using CVE-2017-11882 and a new PowerShell backdoor we’re calling POWERSHOWER due to the attention to detail in terms of cleaning up after itself, along with the malware being written in PowerShell.
<https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/>
2019During its recent campaigns, Cloud Atlas used a new “polymorphic” infection chain relying no more on PowerShower directly after infection, but executing a polymorphic HTA hosted on a remote server, which is used to drop three different files on the local system.
<https://securelist.com/recent-cloud-atlas-activity/92016/>
Feb 2022Cloud Atlas targets entities in Russia and Belarus amid the ongoing war in Ukraine
<https://research.checkpoint.com/2022/cloud-atlas-targets-entities-in-russia-and-belarus-amid-the-ongoing-war-in-ukraine/>
Dec 2023Cyber-espionage group Cloud Atlas targets Russian companies with war-related phishing attacks
<https://therecord.media/cloud-atlas-targets-russian-orgs-war-phishing>
Information<https://www.symantec.com/connect/blogs/blue-coat-exposes-inception-framework-very-sophisticated-layered-malware-attack-targeted-milit>
<https://www.akamai.com/uk/en/multimedia/documents/white-paper/upnproxy-blackhat-proxies-via-nat-injections-white-paper.pdf>
MITRE ATT&CK<https://attack.mitre.org/groups/G0100/>
Playbook<https://pan-unit42.github.io/playbook_viewer/?pb=clean-ursa>

Last change to this card: 10 March 2024

Download this actor card in PDF or JSON format

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]