Description
Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet.
Examples of cloud storage services include Dropbox and Google Docs. Exfiltration to these cloud storage services can provide a significant amount of cover to the adversary if hosts within the network are already communicating with the service.
Platforms
Mitigations (1)
Restrict Web-Based ContentM1021
Web proxies can be used to enforce an external network communication policy that prevents use of unauthorized external services.
Threat Groups (25)
| ID | Group | Context |
|---|---|---|
| G0065 | Leviathan | [Leviathan](https://attack.mitre.org/groups/G0065) has used an uploader known as LUNCHMONEY that can exfiltrate files to Dropbox.(Citation: Proofpoint... |
| G1024 | Akira | [Akira](https://attack.mitre.org/groups/G1024) will exfiltrate victim data using applications such as [Rclone](https://attack.mitre.org/software/S1040... |
| G1014 | LuminousMoth | [LuminousMoth](https://attack.mitre.org/groups/G1014) has exfiltrated data to Google Drive.(Citation: Bitdefender LuminousMoth July 2021) |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has exfiltrated stolen files and data to actor-controlled Blogspot accounts.(Citation: Talos Kimsuky ... |
| G0027 | Threat Group-3390 | [Threat Group-3390](https://attack.mitre.org/groups/G0027) has exfiltrated stolen data to Dropbox.(Citation: Trend Micro DRBControl February 2020) |
| G0129 | Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has also exfiltrated archived files to cloud services such as Dropbox using `curl`.(Citation: P... |
| G0142 | Confucius | [Confucius](https://attack.mitre.org/groups/G0142) has exfiltrated victim data to cloud storage service accounts.(Citation: TrendMicro Confucius APT F... |
| G1005 | POLONIUM | [POLONIUM](https://attack.mitre.org/groups/G1005) has exfiltrated stolen data to [POLONIUM](https://attack.mitre.org/groups/G1005)-owned OneDrive and ... |
| G1001 | HEXANE | [HEXANE](https://attack.mitre.org/groups/G1001) has used cloud services, including OneDrive, for data exfiltration.(Citation: Microsoft POLONIUM June ... |
| G1051 | Medusa Group | [Medusa Group](https://attack.mitre.org/groups/G1051) has utilized [Rclone](https://attack.mitre.org/software/S1040) to exfiltrate data from victim en... |
| G1021 | Cinnamon Tempest | [Cinnamon Tempest](https://attack.mitre.org/groups/G1021) has uploaded captured keystroke logs to the Alibaba Cloud Object Storage Service, Aliyun OSS... |
| G1053 | Storm-0501 | [Storm-0501](https://attack.mitre.org/groups/G1053) has exfiltrated stolen data to the MEGA file sharing site.(Citation: Google Mandiant Storm-0501 Sa... |
| G0102 | Wizard Spider | [Wizard Spider](https://attack.mitre.org/groups/G0102) has exfiltrated stolen victim data to various cloud storage providers.(Citation: Mandiant FIN12... |
| G0119 | Indrik Spider | [Indrik Spider](https://attack.mitre.org/groups/G0119) has exfiltrated data using [Rclone](https://attack.mitre.org/software/S1040) or MEGASync prior ... |
| G0010 | Turla | [Turla](https://attack.mitre.org/groups/G0010) has used WebDAV to upload stolen USB files to a cloud drive.(Citation: Symantec Waterbug Jun 2019) [Tur... |
| G0125 | HAFNIUM | [HAFNIUM](https://attack.mitre.org/groups/G0125) has exfiltrated data to file sharing sites, including MEGA.(Citation: Microsoft HAFNIUM March 2020) |
| G0069 | MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) has attempted to exfiltrate data to Wasabi, a cloud storage service, using [Rclone](https://attack... |
| G1052 | Contagious Interview | [Contagious Interview](https://attack.mitre.org/groups/G1052) has exfiltrated stolen passwords to Dropbox.(Citation: Sekoia ClickFake 2025) |
| G1006 | Earth Lusca | [Earth Lusca](https://attack.mitre.org/groups/G1006) has used the megacmd tool to upload stolen files from a victim network to MEGA.(Citation: TrendMi... |
| G1003 | Ember Bear | [Ember Bear](https://attack.mitre.org/groups/G1003) has used tools such as [Rclone](https://attack.mitre.org/software/S1040) to exfiltrate information... |
Associated Software (16)
| ID | Name | Type | Context |
|---|---|---|---|
| S9034 | Tsundere Botnet | Malware | [Tsundere Botnet](https://attack.mitre.org/software/S9034)’s variant DinDoor has used [Rclone](https://attack.mitre.org/software/S1040) to access a Wa... |
| S1040 | Rclone | Tool | [Rclone](https://attack.mitre.org/software/S1040) can exfiltrate data to cloud storage services such as Dropbox, Google Drive, Amazon S3, and MEGA.(Ci... |
| S0629 | RainyDay | Malware | [RainyDay](https://attack.mitre.org/software/S0629) can use a file exfiltration tool to upload specific files to Dropbox.(Citation: Bitdefender Naikon... |
| S1023 | CreepyDrive | Malware | [CreepyDrive](https://attack.mitre.org/software/S1023) can use cloud services including OneDrive for data exfiltration.(Citation: Microsoft POLONIUM J... |
| S0037 | HAMMERTOSS | Malware | [HAMMERTOSS](https://attack.mitre.org/software/S0037) exfiltrates data by uploading it to accounts created by the actors on Web cloud storage provider... |
| S1170 | ODAgent | Malware | [ODAgent](https://attack.mitre.org/software/S1170) can use an attacker-controlled OneDrive account for exfiltration.(Citation: ESET OilRig Downloaders... |
| S1222 | RIFLESPINE | Malware | [RIFLESPINE](https://attack.mitre.org/software/S1222) can upload results from executed C2 commands to cloud storage.(Citation: Google Cloud Mandiant ... |
| S0660 | Clambling | Malware | [Clambling](https://attack.mitre.org/software/S0660) can send files from a victim's machine to Dropbox.(Citation: Trend Micro DRBControl February 2020... |
| S0538 | Crutch | Malware | [Crutch](https://attack.mitre.org/software/S0538) has exfiltrated stolen data to Dropbox.(Citation: ESET Crutch December 2020) |
| S1172 | OilBooster | Malware | [OilBooster](https://attack.mitre.org/software/S1172) can exfiltrate files to an actor-controlled OneDrive account via the Microsoft Graph API.(Citati... |
| S0340 | Octopus | Malware | [Octopus](https://attack.mitre.org/software/S0340) has exfiltrated data to file sharing sites.(Citation: ESET Nomadic Octopus 2018) |
| S0363 | Empire | Tool | [Empire](https://attack.mitre.org/software/S0363) can use Dropbox for data exfiltration.(Citation: Github PowerShell Empire) |
| S0651 | BoxCaon | Malware | [BoxCaon](https://attack.mitre.org/software/S0651) has the capability to download folders' contents on the system and upload the results back to its D... |
| S1102 | Pcexter | Malware | [Pcexter](https://attack.mitre.org/software/S1102) can upload stolen files to OneDrive storage accounts via HTTP `POST`.(Citation: Kaspersky ToddyCat ... |
| S0240 | ROKRAT | Malware | [ROKRAT](https://attack.mitre.org/software/S0240) can send collected data to cloud storage services such as PCloud.(Citation: Malwarebytes RokRAT VBA ... |
| S0635 | BoomBox | Malware | [BoomBox](https://attack.mitre.org/software/S0635) can upload data to dedicated per-victim folders in Dropbox.(Citation: MSTIC Nobelium Toolset May 20... |
Frequently Asked Questions
What is T1567.002 (Exfiltration to Cloud Storage)?
T1567.002 is a MITRE ATT&CK technique named 'Exfiltration to Cloud Storage'. It belongs to the Exfiltration tactic(s). Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a...
How can T1567.002 be detected?
Detection of T1567.002 (Exfiltration to Cloud Storage) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1567.002?
There are 1 documented mitigations for T1567.002. Key mitigations include: Restrict Web-Based Content.
Which threat groups use T1567.002?
Known threat groups using T1567.002 include: Leviathan, Akira, LuminousMoth, Kimsuky, Threat Group-3390, Mustang Panda, Confucius, POLONIUM.