top of page
Mitre
Alias
Inception Framework, Cloud Atlas, Blue Odin, The Rocra, Atk116, Operation �cloud Atlas�, Operation �redoctober�, G0100, Atk 116, Clean Ursa, Oxygen
Country
Russia
Sponsor
Russian Federation
Motivation
Information Theft And Espionage
First Seen
2012
Description
(Symantec) Researchers from Blue Coat Labs have identified the emergence of a previously undocumented attack framework that is being used to launch highly targeted attacks in order to gain access to, and extract confidential information from, victims� computers. Because of the many layers used in the design of the malware, we�ve named it Inception�a reference to the 2010 movie �Inception� about a thief who entered peoples� dreams and stole secrets from their subconscious. Targets include individuals in strategic positions: Executives in important businesses such as oil, finance and engineering, military officers, embassy personnel and government officials. The Inception attacks began by focusing on targets primarily located in Russia or related to Russian interests, but have since spread to targets in other locations around the world. The preferred malware delivery method is via phishing emails containing trojanized documents.
� Initially targeted at Russia, but expanding globally
� Masterful identity cloaking and diversionary tactics
� Clean and elegant code suggesting strong backing and top-tier talent
� Includes malware targeting mobile devices: Android, Blackberry and iOS
� Using a free cloud hosting service based in Sweden for command and control
Targeted
Industries
Government, Research, Aerospace, Defense, Embassies, Energy, Oil And Gas, Financial, Engineering, Private Sector
Targeted
Countries
Morocco, Saudi Arabia, Italy, Turkey, France, Pakistan, Vietnam, Kazakhstan, Cyprus, Lebanon, Congo, Venezuela, Switzerland, Ukraine, United Kingdom, Malaysia, Russia, Germany, Greece, Kyrgyzstan, Brazil, Turkmenistan, Portugal, Romania, Austria, Suriname, Uae, Usa, Iran, Afghanistan, Lithuania, United States, Qatar, Armenia, Oman, Tanzania, India, Uganda, Belgium, Belarus, Azerbaijan, Czech Republic, Moldova, Paraguay, Uzbekistan, Tajikistan, South Africa, Kenya, Mozambique, Georgia, Indonesia, Jordan
Tools
Many 0-day Exploits
Inception
Powershower
Vbshower
Lastacloud
TTP
T1204.002
T1218
T1555.003
T1090.003
T1573
T1221
T1059.001
T1203
T1083
T1090
T1057
T1082
T1204
T1555
T1566
T1027
T1071
T1588
T1566.001
T1218.010
T1102
T1071.001
T1059.005
T1059
T1069
T1547
T1547.001
T1518
T1069.002
T1005
T1588.002
T1573.001
T1218.005
Operations
Performed
[2012-10] operation �redoctober� (in October 2012, Kaspersky Lab�s Global Research & Analysis Team Initiated A New Threat Research After A Series Of Attacks Against Computer Networks Of Various International Diplomatic Service Agencies. A Large Scale Cyber-espionage Network Was Revealed And Analyzed During The Investigation, Which We Called �red October� (after Famous Novel �the Hunt For The Red October�). (https://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740/#8)
[2014-05] hiding Behind Proxies (since 2014, Symantec Has Found Evidence Of A Steady Stream Of Attacks From The Inception Framework Targeted At Organizations On Several Continents. As Time Has Gone By, The Group Has Become Ever More Secretive, Hiding Behind An Increasingly Complex Framework Of Proxies And Cloud Services. (https://www.symantec.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies)
[2014-08] operation �cloud Atlas� (in August 2014, Some Of Our Users Observed Targeted Attacks With A Variation Of Cve-2012-0158 And An Unusual Set Of Malware. We Did A Quick Analysis Of The Malware And It Immediately Stood Out Because Of Certain Unusual Things That Are Not Very Common In The Apt World. (https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/)
[2018-10] this Blog Describes Attacks Against European Targets Observed In October 2018, Using Cve-2017-11882 And A New Powershell Backdoor We�re Calling Powershower Due To The Attention To Detail In Terms Of Cleaning Up After Itself, Along With The Malware Being Written In Powershell. (https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/)
[2019] during Its Recent Campaigns, Cloud Atlas Used A New �polymorphic� Infection Chain Relying No More On Powershower Directly After Infection, But Executing A Polymorphic Hta Hosted On A Remote Server, Which Is Used To Drop Three Different Files On The Local System. (https://securelist.com/recent-cloud-atlas-activity/92016/)
[2022-02] cloud Atlas Targets Entities In Russia And Belarus Amid The Ongoing War In Ukraine (https://research.checkpoint.com/2022/cloud-atlas-targets-entities-in-russia-and-belarus-amid-the-ongoing-war-in-ukraine/
Counter
Operations
Nil
Information
bottom of page