The APT group known as Cloud Atlas has launched a renewed wave of cyberattacks specifically targeting Russia's defense industry. The attackers utilize stolen document templates from previously compromised organizations to craft malicious Microsoft Office files, which are then weaponized to deliver malware. To evade detection and attribution, the group meticulously cleans metadata from these documents, preventing defenders from tracing the source or victim organizations. The initial infection vector involves business email compromise (BEC) attacks, where attackers leverage compromised email accounts to move laterally between targeted companies. The malicious documents are disguised as legitimate and contextually relevant files such as invitations, anti-corruption checks, mobilization documents, employee records, and financial statements, increasing the likelihood of user interaction and successful exploitation. Once executed, the malware deploys the PowerShower backdoor, a known tool associated with Cloud Atlas, enabling persistent access and control over infected systems. For data exfiltration, the group uses the Google Sheets API, a novel method that blends exfiltration traffic with legitimate cloud service usage, complicating detection efforts. The campaign infrastructure has recently migrated to new servers and domains, indicating an ongoing and evolving operation. The attack techniques align with multiple MITRE ATT&CK tactics and techniques, including spear-phishing (T1566), use of legitimate cloud services for command and control and exfiltration (T1102), and credential access via BEC (T1586). Although the campaign currently targets Russian defense enterprises, the sophistication and tactics employed could be adapted against other high-value targets. No known public exploits exist for this threat, and no specific affected software versions are identified, underscoring the threat's reliance on social engineering and operational security rather than software vulnerabilities.

For European organizations, particularly those in the defense, government, and critical infrastructure sectors, the Cloud Atlas campaign represents a significant risk due to the advanced social engineering and stealthy operational methods employed. While the current focus is on Russian defense entities, European companies with supply chain or collaborative ties to Russian defense or related industries could be indirectly targeted or affected by spillover attacks. The use of compromised email accounts for lateral movement and BEC attacks highlights the risk of credential theft and insider threat vectors, which could lead to unauthorized access, data breaches, and espionage. The deployment of the PowerShower backdoor enables persistent remote access, potentially allowing attackers to conduct long-term surveillance, data theft, or sabotage. Utilizing the Google Sheets API for data exfiltration complicates detection, as traffic may blend with legitimate cloud service usage, increasing the likelihood of data loss without immediate detection. The campaign's evasion techniques, such as metadata cleaning, reduce forensic traceability, hindering incident response and attribution efforts. Overall, the threat could undermine confidentiality and integrity of sensitive information, disrupt operations, and damage national security interests if European defense or governmental entities become targets or collateral victims.

European organizations should implement targeted mitigations beyond generic advice to counter this threat effectively. First, enhance email security by deploying advanced anti-phishing solutions capable of detecting spear-phishing attempts and analyzing document metadata anomalies. Implement strict multi-factor authentication (MFA) on all email and cloud service accounts to reduce the risk of credential compromise and lateral movement via BEC. Conduct regular user awareness training focused on recognizing sophisticated phishing lures, especially those mimicking official documents like invitations or financial statements. Monitor network traffic for unusual use of cloud APIs, particularly Google Sheets API calls, which may indicate covert data exfiltration. Deploy endpoint detection and response (EDR) tools with capabilities to detect PowerShell-based backdoors like PowerShower, including behavioral analysis of script execution and command patterns. Maintain up-to-date threat intelligence feeds to track infrastructure changes and indicators of compromise related to Cloud Atlas. Conduct regular audits of email account activity and implement anomaly detection to identify unauthorized access or unusual forwarding rules. Finally, establish incident response playbooks tailored to APT tactics involving social engineering and cloud-based exfiltration to enable rapid containment and remediation.