Threat Hunting

Microsoft Graph API Exploitation in State-Backed Espionage on the Rise

Share
Credit: Adobe Stock Images

More state-sponsored threat operations have been leveraging Microsoft Graph API alongside cloud services Microsoft Outlook and OneDrive, as well as Google Drive, to facilitate data exfiltration in new cyberespionage campaigns, SC Media reports.

U.S. and European IT service providers have been targeted with the Onedrivetools backdoor, which exploits Graph API to communicate with a OneDrive-hosted command-and-control server, according to Symantec Threat Hunter Team research presented at this year's Black Hat USA conference. OneDrive-hosted C2 server communications have also been conducted through the Graph API by the Grager trojan in intrusions aimed at three organizations in Taiwan, Vietnam, and Hong Kong, while another South Asian media organization was subjected to an attack with the GoGra backdoor that exploited Graph API to enable Outlook-based C2 interactions.

Researchers also discovered a Google Drive exfiltration tool leveraged by the Firefly threat operation in an attack against a South East Asian military entity, as well as various MoonTag trojan variants that are under development. Such a development was noted by experts to emphasize the importance of proactively defending cloud environments.