Microsoft Warns of Russian Hackers Targeting US Officials as Election Nears

Penka Hristovska
Penka Hristovska Senior Editor
Published on: October 31, 2024
Penka Hristovska Penka Hristovska
Published on: October 31, 2024 Senior Editor

Microsoft is warning of a new spear-phishing campaign by Russian hackers, whose targets include US government employees and defense workers.

In its blog post, Microsoft Threat Intelligence warned that the Russian hacking group Midnight Blizzard has been sending phishing emails to individuals in the US across sectors like government, academia, defense, and non-governmental organizations.

Spear-phishing includes sending highly personalized messages with links to malicious sites designed to steal sensitive information. Some emails in the recent campaign involved senders posing as Microsoft employees, the blog noted, in an attempt to “add credibility.” They also made references to other cloud providers, like Amazon Web Services.

It remains unclear how many of these attacks, if any, achieved their intended outcome.

According to the company, which said it detected the campaign on Oct. 22, the hackers sent phishing emails to more than 100 organizations that “contained a Remote Desktop Protocol (RDP) configuration file signed with a LetsEncrypt certificate,” the blog reads.

“When the target user opened the .RDP attachment, an RDP connection was established to an actor-controlled system. The configuration of the RDP connection then allowed the actor-controlled system to discover and use information about the target system,” it continues.

The tech giant believes that the operation is likely focused on gathering intelligence.

“Based on our investigation of previous Midnight Blizzard spear-phishing campaigns, we assess that the goal of this operation is likely intelligence collection,” Microsoft said.

The US and UK governments have linked the hacker group to Russia’s Foreign Intelligence Service (SVR). Active since 2018, the group typically targets governments, diplomatic organizations, NGOs, and IT service providers, with a focus on entities in the US and Europe.

“While this campaign focuses on many of Midnight Blizzard’s usual targets, the use of a signed RDP configuration file to gain access to the targets’ devices represents a novel access vector for this actor. Overlapping activity has also been reported by the Government Computer Emergency Response Team of Ukraine (CERT-UA) under the designation UAC-0215 and also by Amazon,” Microsoft explains.

About the Author
Penka Hristovska
Penka Hristovska
Senior Editor
Published on: October 31, 2024

About the Author

Penka Hristovska is an editor at SafetyDetectives. She was an editor at several review sites that covered all things technology — including VPNs and password managers — and had previously written on various topics, from online security and gaming to computer hardware. She’s highly interested in the latest developments in the cybersecurity space and enjoys learning about new trends in the tech sector. When she’s not in “research mode,” she’s probably re-watching Lord of The Rings or playing DOTA 2 with her friends.

Leave a Comment