Russian hackers target US officials in a new spear-phishing campaign

Russian state-backed hacking group Midnight Blizzard, also known as APT29 and linked to the Russian Foreign Intelligence Service (SVR), has launched a new spear-phishing campaign targeting US officials, academics, and members of the defense and NGO sectors, Microsoft said in a statement.

According to the software major, the group has been active since last week, sending highly targeted phishing emails designed to collect sensitive intelligence from thousands of individuals across more than 100 organizations.

“Since October 22, 2024, Microsoft Threat Intelligence has observed Russian threat actor Midnight Blizzard sending a series of highly targeted spear-phishing emails to individuals in government, academia, defense, non-governmental organizations, and other sectors,” Microsoft wrote in a blog. “Based on our investigation of previous Midnight Blizzard spear-phishing campaigns, we assess that the goal of this operation is likely intelligence collection.”

Reports from Ukraine’s CERT-UA and Amazon have also highlighted similar Midnight Blizzard activity, underlining the global nature of this ongoing threat, the statement added.

Spear-phishing with a new twist

Midnight Blizzard’s latest operation features a novel access vector: a Remote Desktop Protocol (RDP) configuration file signed with a legitimate LetsEncrypt certificate. The phishing emails are crafted to lure victims by impersonating Microsoft employees and referencing familiar cloud services like Amazon Web Services (AWS) and zero-trust principles.

Once opened, the RDP file connects the target’s device to a server controlled by the hackers, allowing them to access local system resources such as hard disks, clipboard contents, and authentication features like smart cards.

“The emails were highly targeted, using social engineering lures relating to Microsoft, Amazon Web Services (AWS), and the concept of Zero Trust,” the statement added.

This method, while consistent with Midnight Blizzard’s previous tactics, represents a new approach in how the group attempts to compromise their targets. By leveraging legitimate tools like RDP, hackers can bypass conventional security measures and install malware or maintain persistent access to compromised systems through remote access trojans (RATs).

A longstanding espionage threat

Midnight Blizzard has been linked to espionage activities dating back to 2018, primarily targeting governments, NGOs, and IT service providers in the US and Europe. Its operations typically involve a range of sophisticated techniques, including spear-phishing, stolen credentials, and supply chain attacks. The group has been known to compromise authentication mechanisms within organizations, making it difficult to detect their presence until significant damage has been done.

“It uses diverse initial access methods, including spear phishing, stolen credentials, supply chain attacks, compromise of on-premises environments to laterally move to the cloud, and leveraging service providers’ trust chain to gain access to downstream customers,” Microsoft said in the statement.

The group is identified by multiple security vendors under different aliases, including UNC2452 and Cozy Bear, and has been responsible for high-profile cyber-espionage campaigns. Their focus remains intelligence gathering through persistent infiltration of foreign entities.

Midnight Blizzard is known to use the Active Directory Federation Service (AD FS) malware known as FOGGYWEB and MAGICWEB.

Only last week, the software major warned that with the US presidential election closing in, foreign bad actors from Iran, Russia, and China have increased their cyber-influential activities to disrupt the electoral process.

“Foreign actors from Russia, China, and Iran continue to pose a multifaceted threat to the 2024 US election, with each country leveraging unique tactics to influence voters,” Microsoft had said in a statement earlier last week.

To mitigate threats like this, Microsoft has recommended implementing strong anti-phishing measures, including regular security audits and user education about phishing tactics.

“As nation-state actors like Midnight Blizzard continue to evolve their methods, vigilance against phishing attacks remains a top priority for those in critical sectors,” the firm added.