Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

Microsoft Warns of Ongoing Russian Intelligence Campaign

Russian SVR Targeting Government, Academia, Defense Organizations Globally
Microsoft Warns of Ongoing Russian Intelligence Campaign
Russian intelligence hackers are posing as Microsoft employees to phish victims across the globe. (Image: Shutterstock)

A Russian-state hacking group is posing as Microsoft employees and sending malicious configuration files as email attachments to target organizations across the world for cyberespionage.

See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk

Microsoft on Tuesday said a campaign by Russia's Foreign Intelligence Service is responsible for phishing emails containing malicious remote desktop protocol configuration files. Microsoft tracks the threat actor as Midnight Blizzard (see: Tactics for Battling Attacks by Russia's Midnight Blizzard).

The computing giant in January disclosed the group obtained access to the inboxes of senior Microsoft executives for at least six weeks. Also known as APT29, Cozy Bear and Blue Kitsune, the group sent phishing emails to thousands of targets across government, academia, defense, and non-governmental organizations across the world. The campaign mainly targeted organizations in the United Kingdom, Europe, Australia and Japan.

The campaign has the hallmarks of a Midnight Blizzard phishing campaign, Microsoft said, although its use of an RDP configuration file is "a novel access vector for this actor."

Microsoft detected the phishing in October when the attackers used lures relating to Microsoft, Amazon Web Services, or on the theme of zero trust. The configuration file is equipped with automatic settings and resource mapping capabilities for information gathering.

"Once the target system was compromised, it connected to the actor-controlled server and directionally mapped the targeted user's local device's resources to the server," Microsoft said. Hackers extracted the victims' hard disk details, clipboard contents, audio and information relating to authentication features.

Based on the information collected, the hackers then proceeded to install malware on the mapped network and deploy remote access Trojans to maintain prolonged access to the targeted devices, Microsoft said.

The alert from Microsoft comes after Amazon last week took down domains mimicking its service after Midnight Blizzard sent Ukrainian language phishing emails with RDP configuration files. Amazon said the threat actor was after the targets' Windows credentials. The Computer Emergency Response Team-Ukraine also published an advisory about the campaign.


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.