30 October 2024

Russian APT29 targets over 100 critical sector orgs via RDP


Russian APT29 targets over 100 critical sector orgs via RDP

The Russian threat actor APT29, also known as Midnight Blizzard, UNC2452 and Cozy Bear, has been targeting organizations across critical sectors, including government agencies, higher education, defense, and non-governmental organizations (NGOs) since October 22, 2024, a new report from Microsoft warns.

APT29 has been linked to the Russian Federation’s Foreign Intelligence Service (SVR). The threat actor has consistently targeted governments, diplomatic institutions, NGOs, and IT service providers, primarily in the United States and Europe, since at least 2018. The group’s tactics involve gaining and expanding access through a variety of techniques, including stolen credentials, supply chain attacks, and advanced attacks that bypass authentication mechanisms to establish footholds within targeted environments.

In its most recent campaign, the threat actor targeted more than 100 organizations via phishing emails designed to trick users into opening a Remote Desktop Protocol (RDP) configuration file to gain access to a victim system. The emails were crafted to appear as if they originate from legitimate sources such as Microsoft and Amazon Web Services (AWS) and incorporated themes around Zero Trust. This campaign has been previously detailed by Ukraine’s CERT team that tracks the activity as UAC-0215. Last week, Amazon announced it seized internet domains used by APT29 in its attacks.

According to Microsoft, the campaign has targeted organizations across multiple countries, particularly focusing on the United Kingdom, Europe, Australia, and Japan. In some instances, the threat actor has impersonated Microsoft employees to enhance the credibility of the malicious emails.

Once opened, the attached RDP file establishes a connection to an attacker-controlled server. This file carries preconfigured settings and mapped resources, allowing the attackers to access a wide range of data from the compromised system.

Back to the list

Latest Posts

Cyber Security Week in Review: November 8, 2024

Cyber Security Week in Review: November 8, 2024

In brief: PAN Expedition bug exploited in the wild, 22,000+ servers and IPs linked to cybercrime disrupted, and more.
8 November 2024
Germany proposes new law to protect security researchers and toughen penalties for cybercrime

Germany proposes new law to protect security researchers and toughen penalties for cybercrime

The draft law also imposes harsher penalties for severe cases of spying on or intercepting data.
7 November 2024
North Korean hackers target crypto firms with new macOS malware in Hidden Risk campaign

North Korean hackers target crypto firms with new macOS malware in Hidden Risk campaign

The campaign involves a multi-stage malware that infects Apple macOS devices.
7 November 2024