NCC Group and Fox-IT have been tracking a threat group - Chimera -  with a wide set of interests, from intellectual property (IP) from victims in the semiconductors industry through to passenger data from the airline industry.

In their intrusions, researchers at Fox-IT say, they regularly abuse cloud services from Google and Microsoft to achieve their goals. NCC Group and Fox-IT observed this threat actor during various incident response engagements performed between October 2019 until April 2020. Their threat intelligence analysts noticed clear overlap between the various cases in infrastructure and capabilities, and as a result  they assess with moderate confidence that one group was carrying out the intrusions across multiple victims operating in Chinese interests. In open source this actor is referred to as Chimera by CyCraft.

NCC Group and Fox-IT have seen this actor remain undetected, their dwell time, for up to three years. As such, if you were a victim, they might still be active in your network looking for your most recent crown jewels.

NCC and Fox-IT contained and eradicated the threat from their client’s networks during incident response while their Managed Detection and Response (MDR) clients automatically received detection logic.

With the blog, NCC Group and Fox-IT aim to provide the wider community with information and intelligence that can be used to hunt for this threat in historic data and improve detections for intrusions by this intrusion set. For the publication, please visit https://blog.fox-it.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/