Russia’s leading advanced persistent threat group has been actively targeting a wide array of organizations, including military, governmental, and corporate entities, through phishing campaigns. Known as APT29, or by its aliases Midnight Blizzard, Nobelium, and Cozy Bear, this group is recognized as one of the most formidable threat actors globally. Operating under the auspices of the Russian Federation’s Foreign Intelligence Service (SVR), APT29 has gained notoriety for significant breaches such as those involving SolarWinds and the Democratic National Committee (DNC).
Recently, APT29 has expanded its reach, breaching Microsoft’s codebase and targeting political entities across Europe, Africa, and beyond. “APT29 embodies the ‘persistent’ part of ‘advanced persistent threat,'” notes Satnam Narang, a senior staff research engineer at Tenable. He elaborates that the group has consistently focused on organizations in the United States and Europe, employing a variety of techniques, including spear-phishing and exploiting vulnerabilities to gain initial access and escalate privileges. The group’s primary objective remains the collection of foreign intelligence while maintaining a foothold within compromised organizations for future operations.
In a recent development, the Computer Emergency Response Team of Ukraine (CERT-UA) uncovered APT29’s phishing attempts aimed at extracting Windows credentials from government, military, and private sector targets within Ukraine. Further collaboration with international authorities revealed that this campaign had a broad geographical scope. Narang emphasizes that while APT29’s targeting of sensitive credentials is expected, the group’s extensive focus on diverse organizations marks a deviation from its typically narrower attack patterns.
AWS and Microsoft
The phishing campaign, which began in August, utilized malicious domain names crafted to resemble those associated with Amazon Web Services (AWS). Emails dispatched from these domains masqueraded as guidance on integrating AWS with Microsoft services and implementing zero trust architecture. However, AWS clarified that the attackers were not after Amazon or its customers’ AWS credentials.
The true intent of APT29 was unveiled through the attachments included in these emails: configuration files for Remote Desktop, Microsoft’s tool for enabling remote desktop connections. This application is widely used by both legitimate users and cybercriminals alike. “Typically, attackers will attempt to brute force their way into a system or exploit vulnerabilities before configuring RDP. In this instance, they are essentially indicating: ‘We want to establish that connection upfront,'” Narang explains.
Executing one of these malicious attachments would have initiated an outbound RDP connection to an APT29 server. The files contained additional malicious parameters, granting attackers access to the target computer’s storage, clipboard, audio devices, network resources, printers, communication ports, and more, along with the ability to execute custom malicious scripts.
Block RDP
Although APT29 did not utilize any legitimate AWS domains, Amazon successfully disrupted the campaign by taking down the group’s malicious imitations. To safeguard against potential threats, CERT-UA advises organizations to implement stringent measures, including monitoring network logs for connections to APT29-related IP addresses and analyzing all outgoing connections to various IP addresses through the end of the month.
For organizations looking to mitigate future risks, Narang offers straightforward guidance: “First and foremost, don’t allow RDP files to be received. You can block them at your email gateway. That’s going to kneecap this whole thing.” AWS has opted not to provide additional comments on the matter, and inquiries have also been made to Microsoft for their insights.
Russia’s APT29 Mimics AWS to Steal Windows Credentials
Russia’s leading advanced persistent threat group has been actively targeting a wide array of organizations, including military, governmental, and corporate entities, through phishing campaigns. Known as APT29, or by its aliases Midnight Blizzard, Nobelium, and Cozy Bear, this group is recognized as one of the most formidable threat actors globally. Operating under the auspices of the Russian Federation’s Foreign Intelligence Service (SVR), APT29 has gained notoriety for significant breaches such as those involving SolarWinds and the Democratic National Committee (DNC).
Recently, APT29 has expanded its reach, breaching Microsoft’s codebase and targeting political entities across Europe, Africa, and beyond. “APT29 embodies the ‘persistent’ part of ‘advanced persistent threat,'” notes Satnam Narang, a senior staff research engineer at Tenable. He elaborates that the group has consistently focused on organizations in the United States and Europe, employing a variety of techniques, including spear-phishing and exploiting vulnerabilities to gain initial access and escalate privileges. The group’s primary objective remains the collection of foreign intelligence while maintaining a foothold within compromised organizations for future operations.
In a recent development, the Computer Emergency Response Team of Ukraine (CERT-UA) uncovered APT29’s phishing attempts aimed at extracting Windows credentials from government, military, and private sector targets within Ukraine. Further collaboration with international authorities revealed that this campaign had a broad geographical scope. Narang emphasizes that while APT29’s targeting of sensitive credentials is expected, the group’s extensive focus on diverse organizations marks a deviation from its typically narrower attack patterns.
AWS and Microsoft
The phishing campaign, which began in August, utilized malicious domain names crafted to resemble those associated with Amazon Web Services (AWS). Emails dispatched from these domains masqueraded as guidance on integrating AWS with Microsoft services and implementing zero trust architecture. However, AWS clarified that the attackers were not after Amazon or its customers’ AWS credentials.
The true intent of APT29 was unveiled through the attachments included in these emails: configuration files for Remote Desktop, Microsoft’s tool for enabling remote desktop connections. This application is widely used by both legitimate users and cybercriminals alike. “Typically, attackers will attempt to brute force their way into a system or exploit vulnerabilities before configuring RDP. In this instance, they are essentially indicating: ‘We want to establish that connection upfront,'” Narang explains.
Executing one of these malicious attachments would have initiated an outbound RDP connection to an APT29 server. The files contained additional malicious parameters, granting attackers access to the target computer’s storage, clipboard, audio devices, network resources, printers, communication ports, and more, along with the ability to execute custom malicious scripts.
Block RDP
Although APT29 did not utilize any legitimate AWS domains, Amazon successfully disrupted the campaign by taking down the group’s malicious imitations. To safeguard against potential threats, CERT-UA advises organizations to implement stringent measures, including monitoring network logs for connections to APT29-related IP addresses and analyzing all outgoing connections to various IP addresses through the end of the month.
For organizations looking to mitigate future risks, Narang offers straightforward guidance: “First and foremost, don’t allow RDP files to be received. You can block them at your email gateway. That’s going to kneecap this whole thing.” AWS has opted not to provide additional comments on the matter, and inquiries have also been made to Microsoft for their insights.