According to Russian experts from Positive Technologies, the Yandex. Disk service became popular with hackers to conduct cyber-attacks, previously using foreign counterparts such as OneDrive and Dropbox extensively for the same purpose. Since the ability of filers to detect harmful software is limited, such sites become the base for pest programs.
According to Posetive Technologies, "Yandex. Disk" has started using representatives of the foreign cybergroup ART31, but the Russian file store is believed to be the first to use. The algorithm of contamination is simple, with some way of referring to a normal office document, and the user opens it, and then runs a macros that downloads both the document itself, which is a distraction, and the file that is being executed, to use the harmful library and the library itself.
According to Izves, since the beginning of 2022, hackers have already attacked a number of media and even fuel and energy companies using this technology. Yandex. Disk uses, among other things, to make the traffic generated by the attack look like legitimate — in such a case, harmful software "creatively difficult to identify", as the traffic is virtually the same as the normal exchange of data between the client and the server. In addition, Yandex.Disk does not check the contents of user folders to avoid damage to confidentiality — other services operate on the same basis.
According to some data, data storage services are actively used by so-called APT groups wishing to disguise their activities. The most powerful way of protecting them is to refuse to open files from untested sources. This applies to any document from the Network. If it is necessary to open such a file, experts recommend that this be done on a separate computer that does not contain important information. They emphasize that it is almost impossible to recognize a well-prepared attack, in any case, to a normal user. However, experts advise that antivirus be used in any case, that software, including operating systems and browsers, be regularly updated, and that macros be refused to be launched in unknown documents.