Nation-state attackers increasingly abuse Microsoft Graph API in espionage campaigns

LAS VEGAS -- Nation-state attackers are increasingly abusing the Microsoft Graph API to exfiltrate data from victims in plain sight. Using attacker controlled Outlook, OneDrive and Google Drive accounts, threat actors transfer sensitive data from a victim's computer using services unlikely to set off security alarm bells.

The research comes from research being released on Wednesday by the Symantec Threat Hunter Team at the Black Hat USA during a Wednesday briefing titled Cloud Cover: How Sophisticated Malicious Actors Are Leveraging Legitimate Cloud Services.

[For up-to-the-minute Black Hat USA coverage by SC Media, Security Weekly and CyberRisk TV visit our spotlight Black Hat USA 2024 coverage page.]

"Attackers are shifting away from exfiltrating data to unknown or blacklisted C2 (command and control) domains liable to be flagged by security teams and instead turning to trusted services like OneDrive that are not scrutinized as thoroughly," said Marc Elias, an investigator with the Threat Hunter Team in an interview with SC Media.

[Watch Marc Elias preview his session in video below]

In research posted Wednesday, Elias asserts China-linked nation-state threat actors are leveraging these legitimate cloud services. He said these type attacks are not new, however the tactic of abusing Microsoft's Graph API is growing.

“During our research we only found one campaign — OneDriveTools — targeting the IT sector in the United States, but this is just the beginning," Elias said.

In a report released in May, Symantec detailed research on malware found in Ukraine named BirdyClient that used the Microsoft Graph API and OneDrive as a C2 server to upload and download files from victims. 

Researchers said the attacks were first observed in South Asia and expect to spread to North America as attackers continue to succeed. Elias noted that attacks abusing the Microsoft Graph API are on systems that have already been compromised.

Microsoft's Graph API Microsoft Graph API is what is known as a RESTful web API allowing third-party web services to easily accessing Microsoft's cloud account data and services such as Office 365, OneDrive and SharePoint. Authentication is carried out using OAuth access tokens.

The report doesn't suggest that either the Graph API or OAuth are flawed, merely the tools used by attackers on systems that are already compromised by attackers. Symantec's research also included new insights into the backdoor malware families used in conjunction with ongoing attacks.

"In the past few weeks alone, Symantec’s Threat Hunter Team has identified three further espionage
operations using cloud services and found evidence of further tools in development," the report states. Malware families and hacker tools examined included GoGra, MoonTag, Onedrivetools, Google Drive Exfiltration and Grager.

Here’s a quick rundown of the attacks on cloud infrastructure the Symantec team has observed:

GoGra

A backdoor Symantec named GoGra (Trojan.Gogra) was deployed against a media organization in South Asia in November 2023. GoGra is written in Go and uses the Microsoft Graph API to interact with a command-and-control (C2) server hosted on Microsoft mail services.

Google Drive Exfiltration

An exfiltration tool was deployed by the Firefly espionage group in an attack against a military organization in South East Asia. Analysis of the tool found that it was a publicly available Google Drive client in a Python wrapper.

Grager

A backdoor named Trojan.Grager was deployed against three organizations in Taiwan, Hong Kong, and Vietnam in April 2024. Analysis revealed that it used the Graph API to communicate with a C2 server hosted on Microsoft OneDrive.

MoonTag

A backdoor Symantec found called Trojan.Moontag appears to be in development. Several variants of the backdoor have been uploaded to VirusTotal in recent weeks, although none appeared complete.

Onedrivetools

Yet another backdoor, Onedrivetools, has been deployed against IT services companies in the United States and Europe. The backdoor uses the Graph API to interact with a C2 server hosted on OneDrive. It can execute received commands and save the output to OneDrive.

Bigger picture trend

While the Symantec report highlights attacks focused on South Asia, it's essential to recognize that threat actors often test and refine their tactics in one region before expanding to others, explained Stephen Kowski, Field CTO at SlashNext Email Security.

“As such, we'll likely see similar attacks targeting North America, particularly if the threat actors perceive value in doing so,” said Kowski. “Organizations in North America should remain vigilant and prioritize proactive defense strategies leveraging AI to proactively identify and stop malicious attacks and techniques. The trend of attacking the cloud is on the rise due to the increasing adoption of cloud services and the resulting expansion of the attack surface. They are in business to make money and will go where there's opportunity.”

Ngoc Bui, cybersecurity expert, at Menlo Security, added that threat actors are increasingly targeting cloud infrastructure because of its widespread adoption. As with any commonly utilized technology, Bui said threat actors are aware and quickly adapt to exploit vulnerabilities.

“The growing reliance on cloud services makes them an attractive target, prompting threat actors to develop new or better methods to breach these systems,” said Bui. “As for whether the rest of the world should be concerned about threats targeting South Asia, the answer is a resounding ‘yes.’ Historically, threat actors have a pattern of reusing, selling, and modifying their malware to target different regions and organizations. North Korean threat actors are a prime example of this behavior.”

Mitigating against the threat

Elias said these type of attacks will continue to rise because the provide low-key and low-cost infrastructure to adversaries because the tactic is working. IT security teams need to: