Threat Intelligence Tarot
Vol. II · 129
Russia-suspected
G0100
risk 3/5
The Cloud Atlas
Inception
Cloud Atlas · Inception Framework · Oxygen
CIS governmentsRussian government and militaryEastern European diplomatic missions
Active since ~2012 · Long-term espionage, Diplomatic intelligence
The Cloud Atlas charts the territories of the digital East from above. Its dispatches travel through public cloud services that no enterprise firewall can plausibly block, every map drawn in someone else's storage.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
T1566.001
Spearphishing Attachment
Initial Access
T1203
Exploitation for Client Execution
Execution
T1027
Obfuscated Files or Information
Defense Evasion
T1547.001
Registry Run Keys
Persistence
T1071.001
Web Protocols
Command and Control
T1102
Web Service
Command and Control
Notable Operations
  • Mosquito and PowerShower implant families
  • CVE-2017-11882 Equation Editor exploitation
  • Cloud-service C2 abuse (CloudMe, WebDAV)
  • Sustained CIS-region diplomatic targeting since 2012
Defenses
  • Disable or remove Microsoft Equation Editor on all endpoints
    Microsoft Security Baseline
  • Egress filtering for unsanctioned cloud storage and WebDAV
    CIS Control 9
  • Document attachment sandboxing in email gateways
    CIS Control 9
  • Long-term EDR retention for cross-year intrusion correlation
    NIST CSF: DE.AE
Reversed: Their Weakness
Office security baseline enforcement against legacy exploits (especially Equation Editor) and explicit blocking of high-risk cloud service categories on egress reduce this operator's chosen surface.

Share this adversary profile

Compare →

swipe to browse

← PreviousThe Ember Before the FireNext →The Desert Hawk
Related Adversaries
The Heartbeat
Tonto Team
5 shared TTPs
The Strait Watcher
Tropic Trooper
5 shared TTPs
The Desert Hawk
Stealth Falcon
4 shared TTPs
Data sourced from MITRE ATT&CK. For educational purposes.