Exfiltration Over Web Service: Exfiltration to Cloud Storage

ID Name
T1567.001 Exfiltration to Code Repository
T1567.002 Exfiltration to Cloud Storage

Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet.

Examples of cloud storage services include Dropbox and Google Docs. Exfiltration to these cloud storage services can provide a significant amount of cover to the adversary if hosts within the network are already communicating with the service.

ID: T1567.002
Sub-technique of:  T1567
Tactic: Exfiltration
Platforms: Linux, Windows, macOS
Version: 1.0
Created: 09 March 2020
Last Modified: 28 March 2020

Procedure Examples

ID Name Description
S0635 BoomBox

BoomBox can upload data to dedicated per-victim folders in Dropbox.[1]

S0651 BoxCaon

BoxCaon has the capability to download folders' contents on the system and upload the results back to its Dropbox drive.[2]

G0114 Chimera

Chimera has exfiltrated stolen data to OneDrive accounts.[3]

S0660 Clambling

Clambling can send files from a victim's machine to Dropbox.[4][5]

G0142 Confucius

Confucius has exfiltrated victim data to cloud storage service accounts.[6]

S0538 Crutch

Crutch has exfiltrated stolen data to Dropbox.[7]

S0363 Empire

Empire can use Dropbox for data exfiltration.[8]

G0046 FIN7

FIN7 has exfiltrated stolen data to the MEGA file sharing site.[9]


HAFNIUM has exfiltrated data to file sharing sites, including MEGA.[10]


HAMMERTOSS exfiltrates data by uploading it to accounts created by the actors on Web cloud storage providers for the adversaries to retrieve later.[11]

G0094 Kimsuky

Kimsuky has exfiltrated stolen files and data to actor-controlled Blogspot accounts.[12]

G0032 Lazarus Group

Lazarus Group has exfiltrated stolen data to Dropbox using a customized version of dbxcli.[13][14]

G0065 Leviathan

Leviathan has used an uploader known as LUNCHMONEY that can exfiltrate files to Dropbox.[15][16]

S0340 Octopus

Octopus has exfiltrated data to file sharing sites.[17]

S0629 RainyDay

RainyDay can use a file exfiltration tool to upload specific files to Dropbox.[18]


ROKRAT can send collected data to cloud storage services such as PCloud.[19][20]

G0027 Threat Group-3390

Threat Group-3390 has exfiltrated stolen data to Dropbox.[4]

G0010 Turla

Turla has used WebDAV to upload stolen USB files to a cloud drive.[21] Turla has also exfiltrated stolen files to OneDrive and 4shared.[22]


ZIRCONIUM has exfiltrated stolen data to Dropbox.[23]


ID Mitigation Description
M1021 Restrict Web-Based Content

Web proxies can be used to enforce an external network communication policy that prevents use of unauthorized external services.


ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments that may exfiltrate data to a cloud storage service rather than over their primary command and control channel.

DS0022 File File Access

Monitor for files being accessed to exfiltrate data to a cloud storage service rather than over their primary command and control channel.

DS0029 Network Traffic Network Traffic Content

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

Network Traffic Flow

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.


  1. Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021.
  2. ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.
  3. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  4. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  5. Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021.
  6. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.
  7. Jazi, Hossein. (2021, January 6). Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat. Retrieved March 22, 2022.
  8. Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021.
  9. Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019.
  10. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
  11. Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021.