Midnight Blizzard is on the rampage again, and enterprises should be wary of its new tactics
Also known as APT29, Midnight Blizzard uses RDP configuration files to access Windows credentials, targeting government and defense organizations
Microsoft is warning of a Russia-linked spear phishing campaign targeting government, academia, defense and NGOs.
The notorious Midnight Blizzard group - also known as APT29 and Cozy Bear - has been carrying out its campaign in dozens of countries. As with its earlier phishing campaigns, it's been particularly active in the UK, Europe, Australia, and Japan.
The campaign is still going on, according to Microsoft, with the company revealing it’s in the process of contacting customers that have been targeted or compromised, and helping them secure their accounts.
The spear phishing emails were sent to thousands of targets in more than 100 organizations. In some cases, the criminals impersonated Microsoft employees, while in others they referenced other cloud providers such as Amazon Web Services (AWS), along with the concept of zero trust.
They contained a signed Remote Desktop Protocol (RDP) configuration file that connected to a server under the group's control, Microsoft warned.
"Resources sent to the server may include, but are not limited to, all logical hard disks, clipboard contents, printers, connected peripheral devices, audio, and authentication features and facilities of the Windows operating system, including smart cards," the company said in an advisory.
"This access could enable the threat actor to install malware on the target’s local drive(s) and mapped network share(s), particularly in AutoStart folders, or install additional tools such as remote access trojans (RATs) to maintain access when the RDP session is closed."
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Midnight Blizzard is mixing things up
This is a new attack vector for the group, according to Microsoft, though it's known for using a wide range of initial access methods.
These include spear phishing, stolen credentials, supply chain attacks, compromise of on-premises environments to laterally move to the cloud, and leveraging service providers’ trust chains to gain access to downstream customers.
Midnight Blizzard has been linked by the US and UK governments to the Russian intelligence services. Since at least early 2018 it's been targeting governments, diplomatic bodies, non-governmental organizations ,and IT service providers, mainly in the US and Europe, to steal information.
Juliette Hudson, CTO at CybaVerse, described the group as “one of the world’s most notorious threat actors”, noting that its links to the Russian government make it a particularly potent threat to enterprises.
"The group is well-known for its stealthy cyber espionage campaigns, which have allowed it to infiltrate and steal sensitive emails from government figures all across the world," Hudson said.
"This has been one of the biggest challenges with Midnight Blizzard in the past. They have compromised victims completely without their knowledge, often operating under the radar for months before their attack is detected."
The activity observed by Microsoft has also been spotted by AWS, which recently said it had seized domains used by the group in its phishing attacks.
"In this instance, their targets were associated with government agencies, enterprises, and militaries, and the phishing campaign was apparently aimed at stealing credentials from Russian adversaries," said chief information security officer and Amazon VP of security engineering CJ Moses.
"APT29 sent the Ukrainian language phishing emails to significantly more targets than their typical, narrowly targeted approach."
Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.