Multiple hacker collectives have been actively using the Microsoft Graph API to conceal their communications with command and control (C2) infrastructure hosted on Microsoft cloud services, cybersecurity researchers from the Symantec Threat Hunter Team revealed.
Researchers say that for two and a half years, groups such as APT28, REF2924, Red Stinger, Flea, APT29 and Oilrig have been using this technique to stay out of sight. Among the targets was an anonymous organization in Ukraine, which was infected by a previously unknown malware variant called BirdyClient.
The method of using Microsoft Graph APIs to hide malware communications was first seen in June 2021, but was not accelerated until a year later.
Reliable and cheap
Symantec researchers believe that hacking groups are turning to Microsoft's cloud services to host malware, due to the company's good reputation. This type of traffic is not going to set off any alarms, they argue:
“Attackers' communications with C&C servers can often raise red flags in targeted organizations,” Symantec said. “The popularity of the Graph API among attackers may be due to the belief that traffic to known entities, such as widely used cloud services, is less likely to raise suspicion.”
There is also the question of costs: “In addition to going unnoticed, it is also a source of cheap and secure infrastructure for attackers, since basic accounts for services like OneDrive are free.”
APT28 is an infamous Russian state-sponsored threat actor that has been observed abusing Microsoft solutions in the past. In mid-March of this year, a report from IBM's X-Force claimed that the group was abusing the “search-ms” URI protocol handler to deploy malware on phishing victims. While its victims may vary from campaign to campaign, it always aligns with the interests of the Russian federation. Therefore, victims are usually located in Ukraine, Georgia, Belarus, Kazakhstan, Poland, Armenia, the United States and others.
Through Hacker News