Since the start of the Russian-Ukrainian conflict a cyber-espionage group known as Cloud Atlas or Inception has focused its activities on Russia and Belarus, as well as conflicted areas in Ukraine and Moldova, according to a new report from Check Point.

First spotted in 2014, the group has been known to target critical infrastructure across geographical zones and political conflicts, including Western and Southeast Asia and Europe (especially, but not only Eastern Europe), but as tensions between Russia and Ukraine escalated in 2021 and after the full-scale war broke in February 2022, Cloud Atlas significantly narrowed the scope of their attacks, primarily focusing on targets in Russia, Belarus, and contested areas in Ukraine and Moldova, including the Crimean Peninsula, Luhansk and Donetsk regions, and the pro-Russian Transnistria breakaway region of Moldova (the Transnistrian Moldavian Republic).

“In March-April 2022, Cloud Atlas was observed targeting entities in the pro-Russian Transnistria breakaway region of Moldova, officially known as the Transnistrian Moldavian Republic, where tensions were escalating amid fears that Russia would try to extend its sovereignty to Transnistria or use the republic’s territories for an offensive against Ukraine. Since June 2022, we have seen multiple persistent campaigns focused on very specific targets in Belarus, mainly in its transportation and military radio-electronics sectors, and in Russia, including the government sector, energy and metal industries. The actors are also maintaining their focus on the Russian-annexed Crimean Peninsula, Lugansk and Donetsk regions,” Check Point said.

The researchers noted in their report that over the years the techniques, tactics, and procedures (TTPs) used by the group largely remained the same. Cloud Atlas breaches target networks via spear-phishing emails with malicious attachments sent using public email services like Yandex, Mail.ru and Outlook.com. In some cases the group made attempts to spoof the existing domains of other entities that are likely to be trusted by the target.

The email attachment is usually a Microsoft Office document carefully tailored to the target, which retrieves a malicious remote template from the attackers’ servers that exploit 5-year-old vulnerabilities in Microsoft Equation Editor like CVE-2017-11882 and CVE-2018-0802.

“For both external templates and the later stages of the campaign, the attackers closely control who can access them by whitelisting the targets. This is a known technique used by Cloud Atlas to collect the IP information of the victims by first sending them reconnaissance documents, which do not contain any malicious functionality aside from fingerprinting the victim. Whitelisting can be easily performed in those cases where the targeted entities are large enough to have their own ASN. The use of whitelisting significantly decreases the chances of the malicious components executing in sandboxes or research environments,” the report said.

In the next stage of the attack, a PowerShell-based backdoor called “PowerShower” is planted on the victim system. Once running, the backdoor mainly waits for further instructions from the attackers’ comand and control server. The researchers note that the threat actor made no significant changes in the core of their modular backdoor in the seven years after its discovery in 2014.

“Cloud Atlas continues to use the simple but effective method of social engineering, using spear-phishing emails to compromise their targets. Judging by the fact that the group continues to be very active despite only minor changes in TTPs, their methods seem to be successful. Not only do they manage to penetrate their targets and expand their initial access to the entire domain, but they can also use them as proxies for other operations,” Check Point concluded.