The Russian threat actor APT29, also known as Midnight Blizzard, UNC2452 and Cozy Bear, has been targeting organizations across critical sectors, including government agencies, higher education, defense, and non-governmental organizations (NGOs) since October 22, 2024, a new report from Microsoft warns.
APT29 has been linked to the Russian Federation’s Foreign Intelligence Service (SVR). The threat actor has consistently targeted governments, diplomatic institutions, NGOs, and IT service providers, primarily in the United States and Europe, since at least 2018. The group’s tactics involve gaining and expanding access through a variety of techniques, including stolen credentials, supply chain attacks, and advanced attacks that bypass authentication mechanisms to establish footholds within targeted environments.
In its most recent campaign, the threat actor targeted more than 100 organizations via phishing emails designed to trick users into opening a Remote Desktop Protocol (RDP) configuration file to gain access to a victim system. The emails were crafted to appear as if they originate from legitimate sources such as Microsoft and Amazon Web Services (AWS) and incorporated themes around Zero Trust. This campaign has been previously detailed by Ukraine’s CERT team that tracks the activity as UAC-0215. Last week, Amazon announced it seized internet domains used by APT29 in its attacks.
According to Microsoft, the campaign has targeted organizations across multiple countries, particularly focusing on the United Kingdom, Europe, Australia, and Japan. In some instances, the threat actor has impersonated Microsoft employees to enhance the credibility of the malicious emails.
Once opened, the attached RDP file establishes a connection to an attacker-controlled server. This file carries preconfigured settings and mapped resources, allowing the attackers to access a wide range of data from the compromised system.