Russia’s premiere advanced persistent threat group has been engaging in phishing campaigns targeting thousands of entities in militaries, public authorities, and enterprises.
Known as APT29, or by other aliases such as Midnight Blizzard, Nobelium, and Cozy Bear, this group is considered one of the most notorious threat actors globally. Operating as a part of the Russian Federation’s Foreign Intelligence Service (SVR), APT29 has been responsible for major cyber-attacks in the past, including the breaches of SolarWinds and the Democratic National Committee (DNC). More recently, they have infiltrated Microsoft’s codebase and targeted political entities across Europe, Africa, and beyond.
Experts like Satnam Narang, senior staff research engineer at Tenable, emphasize that APT29 is characterized by its persistence in targeting organizations in the United States and Europe over an extended period. Their tactics involve methods like spear-phishing and exploiting vulnerabilities to gain access and maintain control within compromised systems. The primary objective of APT29 is to gather foreign intelligence and establish a foothold for future operations.
The Computer Emergency Response Team of Ukraine (CERT-UA) recently uncovered APT29’s phishing activities aimed at acquiring Windows credentials from government, military, and private sector entities in Ukraine. As investigations expanded, authorities discovered that this campaign had a broader geographical scope, affecting organizations beyond Ukraine.
The latest campaign by APT29, initiated in August, utilized malicious domain names designed to appear as if they were associated with Amazon Web Services (AWS). The phishing emails sent from these domains purported to provide guidance on integrating AWS with Microsoft services and implementing zero trust architecture. Despite the deceptive nature of the emails, AWS clarified that the attackers’ primary goal was not to obtain AWS credentials but to access configuration files for Remote Desktop, Microsoft’s application for Remote Desktop Protocol (RDP).
By tricking recipients into opening malicious attachments, APT29 sought to establish direct connections to target systems. These attachments facilitated unauthorized access to various components of the compromised devices, granting the attackers control over critical functionalities like storage, clipboard, audio devices, network resources, printers, and more. Furthermore, the perpetrators could execute custom malicious scripts upon gaining access.
Although APT29’s campaign did not utilize legitimate AWS domains, Amazon intervened by seizing the malicious imitations employed by the group. For potential victims, CERT-UA advises implementing stringent monitoring measures to detect connections to IP addresses linked to APT29 and scrutinizing all outgoing connections to IP addresses on the internet.
To mitigate risks associated with future attacks, Narang suggests a straightforward preventative measure: blocking RDP files from being received, which can be enforced at the email gateway level to disrupt APT29’s malicious activities. AWS declined to provide additional comments on the matter, while inquiries have been made to Microsoft for their input on the situation.