Dissecting FusionDrive - Exploring STRONTIUM's Abuse of Cloud Services
STRONTIUM (overlapping with FancyBear & APT28) has long utilized legitimate services and cloud platforms to evade defenders. Most notably, they utilize malware tracked by Microsoft as FusionDrive, an early-stage capability to facilitate access to valuable networks. From late 2021 until mid-2022, the Microsoft Threat Intelligence Center (MSTIC) observed significant use of FusionDrive against high-value government, military, and telecommunication organizations across Central Asia and Europe. In several campaigns, FusionDrive was packaged with novel access methods, including an exclusive zero-day exploit for a security feature in Microsoft Excel (CVE-2021-42292) and various implementations for patched CVE-2021-40444. In early 2022, the Microsoft Threat Intelligence Center (MSTIC) undertook an effort to track and disrupt the use of FusionDrive, leading to account takedowns, product protections, and nation-state notifications, including notifications to victims targeted as part of STRONTIUM’s efforts in the war in Ukraine. This talk will introduce the STRONTIUM actor and the FusionDrive malware family, provide technical insights into the TTPs employed and the vulnerabilities exploited, and tell the story of MSTIC’s efforts to track and disrupt FusionDrive.