Behavioural Analysis

Stealth-State Actors: Silent Persistence, Slow Exfiltration, and Cloud-Based C2

In contrast to ransomware operators and high-noise cybercriminals, a growing class of state-aligned threat actors operate with quiet precision. These stealth-state actors, including groups such as Silent Ransom (Silk Typhoon), Gallium, and APT27, specialise in long-term infiltration, passive surveillance, and the gradual exfiltration of valuable information. Their methods favour persistence over disruption and rely on low-volume, low-frequency exfiltration techniques coupled with legitimate cloud services as their command and control channels.

This post examines the tradecraft behind these silent operations and provides actionable technical guidance to improve visibility and detection within UK-based enterprises.

Why Stealth Matters

State-linked groups increasingly understand that quiet access is strategic access. Rather than deploying ransomware or defacing systems, these actors prioritise:

  • Maintaining long-term, undetected presence
  • Exfiltrating intellectual property, operational data, and communications
  • Avoiding forensic footprints by using system-native tools
  • Blending into cloud traffic to evade traditional C2 detection mechanisms

These campaigns are especially dangerous for organisations that process sensitive research, infrastructure designs, strategic contracts, or classified communications.

The Rise of Cloud-Based Command and Control

Actors such as Silent Ransom exploit the ubiquity of cloud services to hide C2 traffic. Common tactics include:

  • Using services like OneDrive, Dropbox, or Google Drive to exfiltrate stolen files
  • Encoding data into HTTP POST requests or encrypted uploads that appear legitimate
  • Abusing cloud APIs (e.g., Graph API, AWS SDK) for remote control and persistence
  • Leveraging business SaaS tools (e.g., Slack, Trello, Office 365) for message-based C2

This makes detection particularly difficult for organisations with poor telemetry across SaaS platforms or that rely heavily on encrypted outbound traffic.

Technical Detection Advisory

This section outlines practical steps for defenders to detect and respond to slow data exfiltration and stealthy cloud C2 channels.

Indicators of Slow Exfiltration

  • Small but consistent data transfers from internal hosts to cloud storage over extended periods
  • Anomalous archive creation (e.g., repeated creation of .zip, .7z, or .rar files in user folders)
  • Use of FTP/SFTP clients by non-admin users
  • Repeated access to business-critical directories from low-privilege or newly created accounts
  • Sudden increase in PowerShell scripts interacting with APIs or file paths

Suspicious Cloud C2 Behaviour

  • Outbound HTTPS traffic to uncommon cloud storage domains at non-working hours
  • Use of unrecognised OAuth app registrations within Microsoft 365 or Google Workspace
  • Beaconing patterns where the host contacts the same cloud service at regular intervals
  • Unusual download/upload volumes for endpoints typically used for email or documents only
  • Detection of tools like Rclone, MEGASync, or use of curl and Invoke-WebRequest in scripts

Defensive Recommendations

To improve detection and resilience against stealth-state actor activity:

  • Enable detailed cloud application logging (e.g., Microsoft Defender for Cloud Apps, Google Workspace Alert Center)
  • Audit and restrict OAuth applications, including third-party integrations and user-consented apps
  • Set up alerts for unusual volumes of data uploads, especially outside of business hours
  • Deploy endpoint detection and response (EDR) platforms with memory and behaviour-based detection
  • Implement DNS logging and inspection to detect outbound connections to uncommon services
  • Ensure DLP tools are configured to monitor sensitive file types and bulk transfer activity

Real-World Application

In 2023, a UK-based research consortium unknowingly hosted Silent Ransom infrastructure for several months. The threat actor avoided detection by:

  • Creating compressed research exports every weekend
  • Using a compromised staff account to upload files to a Dropbox account via browser-based sessions
  • Accessing the system only during night shifts to avoid anomaly detection
  • Exfiltrating under 100MB of data per week to avoid bandwidth alerts

This case highlights the importance of behavioural baselining, cross-timezone monitoring, and a shift away from relying solely on high-volume or known-malware indicators.

Conclusion

Stealth-state actors like Silent Ransom represent a growing challenge for defenders. Their use of legitimate platforms and subtle tactics demands a proactive, visibility-focused security posture. By improving identity monitoring, SaaS auditing, and anomaly detection, organisations can better defend against threats that aim not to destroy—but to observe, extract, and influence quietly from within.

  • 3 Views

you may also like

Continuous Threat Exposure Management

Continuous Threat Exposure Management

In an era where cyber attacks are not a question of if but when, Continuous Threat Exposure Management has emerged as a crucial strategy for staying one step ahead. For IT directors and C-suite executives, CTEM offers a little easier sleep at night.
Open Source Security Tools

Open-Source Tools for SOC Analysts

PCI-DSS-4.0

PCI DSS 4.0: Significance for Retailers and the Value of SOC-as-a-Service

SOC as a Service

SOC365: The Backbone of SOC as a Service

UK Cyber Defence’s SOC365 is a cutting-edge Security Information and Event Management (SIEM) service platform that forms the backbone of the company’s SOC-as-a-service offering.
AI-Powered_SOC

What is SOC?

What is SOC? Understanding the Security Operations Centre for Modern UK Businesses
Role of Defense Security Services in Today’s World

Role of Defense Security Services in Today’s World

As our world becomes increasingly complex, the need to protect people, assets, and information has surged to the forefront of public consciousness.

Stay Informed. Stay Secure.

Subscribe to our newsletter.
Linkedin-in
© 2025 CyberDefence