Foreign threat group initiates spearphishing campaign, deploying malicious Remote Desktop Protocol (RDP) files for potential cyber attacks
In a recent development, a sophisticated cyber espionage campaign, known as Midnight Blizzard, has been identified by Microsoft researchers. This group, previously known as Nobelium and attributed to APT29, is a hacking collective linked to the Russian Foreign Intelligence Service (SVR).
The current spear-phishing campaign, which began on October 22, targets victims across dozens of countries, with a focus on the U.K., Europe, Japan, and Australia. The attack method involves the use of malicious remote desktop protocol files.
Midnight Blizzard is notorious for its strategic, stealthy operations, exploiting overlooked security gaps in legacy systems. The group has been active since around 2008, carrying out high-profile breaches such as the 2016 Democratic National Committee (DNC) hack and the SolarWinds supply chain attack.
One of the noteworthy attacks by Midnight Blizzard was the compromise of Microsoft’s corporate email systems in January 2024. They exploited a legacy, non-production test tenant account with an easy-to-guess password and lacked multi-factor authentication (MFA). After gaining access, they exploited a legacy test OAuth application with elevated privileges to deepen their intrusion into Microsoft’s corporate environment.
Another significant breach was Hewlett Packard Enterprise (HPE) in May 2023, indicating that Midnight Blizzard's campaign targeted multiple global technology companies aside from Microsoft.
The goal of the current spear-phishing campaign is to collect intelligence. Emails in the campaign were sent to thousands of targets across more than 100 organizations, including those in government, defense, and academia. In some cases, the emails impersonated Microsoft employees to lend credibility.
Once the RDP attachments compromise the targeted victim, a connection is made to a server controlled by the threat actor, exposing sensitive information.
AWS has identified internet domains abused by the threat group, also known as APT29 and affiliated with Russia's Foreign Intelligence Service. CISA recommends organizations restrict outbound RDP connections, prohibit RDP files from being transmitted through email clients and webmail servers, and block the execution of RDP files by users. They also suggest enabling multifactor authentication and deploying phishing-resistant authentication services, such as FIDO tokens.
Midnight Blizzard was involved in the 2020 Sunburst attacks and has a history of targeting government and IT companies. The Cybersecurity and Infrastructure Security Agency has received reports of a foreign threat actor targeting government and IT companies in a widescale spear-phishing campaign.
Microsoft Threat Intelligence has been tracking the activities of Midnight Blizzard and has linked the spear-phishing campaign to this group. Organizations are urged to take necessary precautions to protect their systems from such advanced persistent threats.
- The spear-phishing campaign by Midnight Blizzard, currently underway since October 22, is collecting threat intelligence, with a focus on data-and-cloud-computing companies like Microsoft and Hewlett Packard Enterprise, using phishing techniques and malicious RDP files to exploit security gaps in legacy systems.
- To mitigate the risks posed by Midnight Blizzard, AWS has identified and reported internet domains abused by the threat group and CISA recommends organizations to restrict outbound RDP connections, block RDP files from email clients, prohibit the execution of RDP files by users, enable multifactor authentication, and deploy phishing-resistant authentication services like FIDO tokens.
- Microsoft Threat Intelligence has identified Midnight Blizzard, a Russian hacking collective linked to the SVR, as the perpetrator of the spear-phishing campaign, raising concerns about the potential cybersecurity risks for both government and technology sectors. Organizations are urged to prioritize their cybersecurity measures to handle such advanced persistent threats.
%20files%20for%20potential%20cyber%20attacks){kind=link}