Espionage groups increasingly use cloud-based services and open source tools to create their infrastructure for gathering data and cyberattacks, attempting to hide their activities in the massive quantity of services and resources used by legitimate organizations.
Last week, Microsoft suspended 18 Azure Active Directory "applications" that the company identified as a component of a Chinese espionage group's command-and-control channel. Dubbed GADOLINIUM by Microsoft, the cyberattack group has adopted a combination of cloud infrastructure, which can be quickly reconstituted in the event of a takedown, and open source tools, which can help attackers' actions blend into more legitimate activity.
The group is not the only state-sponsored group to increasingly employ cloud infrastructure and open source tools, according to Microsoft Threat Intelligence Center (MSTIC).
"MSTIC has noticed a slow trend of several nation-state activity groups migrating to open source tools in recent years ... an attempt to make discovery and attribution more difficult," Microsoft stated in a blog post. "The other added benefit to using open-source types of kits is that the development and new feature creation is done and created by someone else at no cost."
GADOLINIUM — also known as APT40, Kryptonite Panda, and Leviathan — has focused on stealing maritime information and associated research from universities to advance China's expansion of its navy, according to an analysis by cybersecurity services firm FireEye. While the espionage group has toyed with cloud infrastructure since 2016, the use of open source tools has only happened in the past two years, Microsoft state sponsored hacking groups increasingly cloud source infrastructure
