Published on: October 31, 2024
Microsoft is warning of a new spear-phishing campaign by Russian hackers, whose targets include US government employees and defense workers.
In its blog post, Microsoft Threat Intelligence warned that the Russian hacking group Midnight Blizzard has been sending phishing emails to individuals in the US across sectors like government, academia, defense, and non-governmental organizations.
Spear-phishing includes sending highly personalized messages with links to malicious sites designed to steal sensitive information. Some emails in the recent campaign involved senders posing as Microsoft employees, the blog noted, in an attempt to “add credibility.” They also made references to other cloud providers, like Amazon Web Services.
It remains unclear how many of these attacks, if any, achieved their intended outcome.
According to the company, which said it detected the campaign on Oct. 22, the hackers sent phishing emails to more than 100 organizations that “contained a Remote Desktop Protocol (RDP) configuration file signed with a LetsEncrypt certificate,” the blog reads.
“When the target user opened the .RDP attachment, an RDP connection was established to an actor-controlled system. The configuration of the RDP connection then allowed the actor-controlled system to discover and use information about the target system,” it continues.
The tech giant believes that the operation is likely focused on gathering intelligence.
“Based on our investigation of previous Midnight Blizzard spear-phishing campaigns, we assess that the goal of this operation is likely intelligence collection,” Microsoft said.
The US and UK governments have linked the hacker group to Russia’s Foreign Intelligence Service (SVR). Active since 2018, the group typically targets governments, diplomatic organizations, NGOs, and IT service providers, with a focus on entities in the US and Europe.
“While this campaign focuses on many of Midnight Blizzard’s usual targets, the use of a signed RDP configuration file to gain access to the targets’ devices represents a novel access vector for this actor. Overlapping activity has also been reported by the Government Computer Emergency Response Team of Ukraine (CERT-UA) under the designation UAC-0215 and also by Amazon,” Microsoft explains.