18 December 2024

Russia-linked APT29 adopts rogue RDP technique for espionage campaign


Russia-linked APT29 adopts rogue RDP technique for espionage campaign

The Russia-linked advanced persistent threat (APT) group APT29, also known as Earth Koshchei and Midnight Blizzard, has been observed repurposing a legitimate red teaming attack methodology to launch sophisticated cyberattacks.

According to a report by Trend Micro, the group has adopted a “rogue Remote Desktop Protocol (RDP)” technique to target governments, armed forces, think tanks, academic researchers, and Ukrainian entities. This method, initially documented by Black Hills Information Security in 2022 as a legitimate red team tactic, has been weaponized by Earth Koshchei for malicious purposes .

The campaign, which peaked in October 2024, involved spear-phishing emails designed to trick recipients into launching malicious RDP configuration files. The files directed victims' computers to connect to rogue RDP servers via one of the group's 193 established RDP relays.

The technique employs an RDP relay, rogue RDP server, and malicious configuration files. Victims unknowingly grant attackers partial control of their machines.

Trend Micro revealed that Earth Koshchei registered more than 200 domain names between August and October 2024 to support the campaign. The group leveraged anonymization layers, including commercial VPN services, the TOR network, and residential proxies, to mask their operations and complicate attribution efforts.

Spear-phishing emails were sent from at least five legitimate but compromised mail servers.

Earth Koshchei has long been associated with cyber-espionage activities aimed at Western governments and industries. Known for its adaptive tactics, the group has previously deployed methods like password spraying, brute-forcing dormant accounts, and watering hole attacks.

Back to the list

Latest Posts

Cybersecurity Week in Review: January 24, 2025

Cybersecurity Week in Review: January 24, 2025

In brief: SonicWall SMA zero-day exploited in attacks, hackers are exploiting older Ivanti flaws, and more.
24 January 2025
AIRASHI DDoS botnet exploits a zero-day vulnerability in cnPilot routers

AIRASHI DDoS botnet exploits a zero-day vulnerability in cnPilot routers

The attacks have been active since June 2024.
23 January 2025
SonicWall SMA zero-day exploited in attacks

SonicWall SMA zero-day exploited in attacks

SonicWall has released a patch in version 12.4.3-02854 and higher versions to address the issue.
23 January 2025