Russian spies use remote desktop protocol files in unusual mass phishing drive

Microsoft says a mass phishing campaign by Russia's foreign intelligence services (SVR) is now in its second week, and the spies are using a novel info-gathering technique.

First spotted on October 22, Microsoft said in a report published Tuesday that the spearphishing attempts are "ongoing" and targeting governments, NGOs, academia, and defense organizations.

Infoseccers at the Windows-maker said Midnight Blizzard, an advanced persistent threat (APT) group widely attributed to Russia's SVR, was behind the attacks. The phishing emails targeted thousands of individuals at more than 100 organizations – a deviation from the group's usual, highly targeted approach – and included remote desktop protocol (RDP) configuration files as attachments.

These RDP config files were especially interesting to researchers. Midnight Blizzard (or APT29, Cozy Bear, or any of the other various monikers the industry assigns to the group) hasn't ever used these as an initial access method before.

Should a victim run the files, an RDP connection to the Midnight Blizzard-owned system would be established. The configuration files were crafted in such a way that their settings allowed for "significant information exposure" on the victim's side, Microsoft said.

• What a coincidence. Spyware makers, Russia's Cozy Bear seem to share same exploits
• Microsoft hosts a security summit but no press, public allowed
• TeamViewer says Russia broke into its corp IT network
• Microsoft's Brad Smith summoned by Homeland Security committee over 'cascade' of infosec failures

"Once the target system was compromised, it connected to the actor-controlled server and bidirectionally mapped the targeted user's local device's resources to the server. Resources sent to the server may include, but are not limited to, all logical hard disks, clipboard contents, printers, connected peripheral devices, audio, and authentication features and facilities of the Windows operating system, including smart cards. 

"This access could enable the threat actor to install malware on the target's local drive(s) and mapped network share(s), particularly in AutoStart folders, or install additional tools such as remote access trojans (RATs) to maintain access when the RDP session is closed. The process of establishing an RDP connection to the actor-controlled system may also expose the credentials of the user signed in to the target system."

Microsoft's findings echo those of Ukraine's Computer Emergency Response Team (CERT-UA) and Amazon, both of which drew attention to Russia's activity closer to the campaign's October 22 start date.

The emails were composed in the Ukrainian language and primarily targeted organizations in the UK, Europe, Australia, and Japan – the usual territories in Midnight Blizzard's crosshairs. In some, the attackers presented as Microsoft employees in a bid to increase the feeling of legitimacy, while others featured impersonations of other cloud providers.

CERT-UA said the subject lines were themed around integration issues with Amazon and Microsoft's services, and the implementation of zero trust architectures. It added that the domain names associated with the attack infrastructure indicated the campaign may have been planned since at least August this year.

Neither Microsoft, Amazon, nor CERT-UA mentioned anything about the degree to which these attacks saw success, whether any kind of malware was installed, or what kinds of information they were targeting.

However, we know from previous Midnight Blizzard intrusions that the group typically goes after sensitive files that can inform Russian intelligence operations.

The group's biggest success, at least of late, was its breach of Microsoft's own systems, disclosed by the tech giant back in January. Not only was it a surprise breach of the company's own systems, but the scale and sensitivity of the data it accessed stole the headlines for weeks and months after.

It was infamously revealed months later that US government emails were accessed as a result of Midnight Blizzard's Microsoft breach. The cyberspies had access to email correspondence between Microsoft and its customers which contained authentication details that were then used in attempts to breach said customers.

This, of course, all came just a few months after a separate Microsoft intrusion – this time at the hands of China's cyberspooks. It was revealed in September 2023 that US government emails were stolen by Beijing following a successful attack on Exchange Online.

A damning review of the incident, published earlier this year and carried out by the Cyber Safety Review Board (CSRB), concluded that a "cascade of Microsoft's avoidable errors" led to the break-in.

In the same year but not believed to be related to the intrusion at Microsoft, the likes of HPE and TeamViewer also disclosed significant breaches attributed to the same unit inside Russia's SVR. ®