T1537 Transfer Data to Cloud Account Mappings

Adversaries may exfiltrate data by transferring the data, including backups of cloud environments, to another cloud account they control on the same service to avoid typical file transfers/downloads and network-based exfiltration detection.

A defender who is monitoring for large transfers to outside the cloud environment through normal file transfers or over command and control channels may not be watching for data transfers to another account within the same cloud provider. Such transfers may utilize existing cloud provider APIs and the internal address space of the cloud provider to blend into normal traffic or avoid data transfers over external network interfaces.

Incidents have been observed where adversaries have created backups of cloud instances and transferred them to separate accounts.(Citation: DOJ GRU Indictment Jul 2018)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-16 Security and Privacy Attributes Protects T1537 Transfer Data to Cloud Account
AC-17 Remote Access Protects T1537 Transfer Data to Cloud Account
AC-2 Account Management Protects T1537 Transfer Data to Cloud Account
AC-20 Use of External Systems Protects T1537 Transfer Data to Cloud Account
AC-3 Access Enforcement Protects T1537 Transfer Data to Cloud Account
AC-4 Information Flow Enforcement Protects T1537 Transfer Data to Cloud Account
AC-5 Separation of Duties Protects T1537 Transfer Data to Cloud Account
AC-6 Least Privilege Protects T1537 Transfer Data to Cloud Account
CA-7 Continuous Monitoring Protects T1537 Transfer Data to Cloud Account
CM-5 Access Restrictions for Change Protects T1537 Transfer Data to Cloud Account
CM-6 Configuration Settings Protects T1537 Transfer Data to Cloud Account
CM-7 Least Functionality Protects T1537 Transfer Data to Cloud Account
IA-2 Identification and Authentication (organizational Users) Protects T1537 Transfer Data to Cloud Account
IA-3 Device Identification and Authentication Protects T1537 Transfer Data to Cloud Account
IA-4 Identifier Management Protects T1537 Transfer Data to Cloud Account
IA-8 Identification and Authentication (non-organizational Users) Protects T1537 Transfer Data to Cloud Account
SC-7 Boundary Protection Protects T1537 Transfer Data to Cloud Account
SI-10 Information Input Validation Protects T1537 Transfer Data to Cloud Account
SI-15 Information Output Filtering Protects T1537 Transfer Data to Cloud Account
SI-4 System Monitoring Protects T1537 Transfer Data to Cloud Account
action.malware.variety.Export data Export data to another site or system related-to T1537 Transfer Data to Cloud Account