The ongoing cyber-espionage campaign conducted by Russia’s Midnight Blizzard threat group has recently come under scrutiny for its potentially larger scope than initially believed. According to research released by Trend Micro, the campaign has targeted international entities across government, armed forces, and academic institutions.
Researchers at Trend Micro have been tracking Midnight Blizzard, also known as Earth Koshchei, and noted a significant spike in activity in October. During this period, the threat group was observed targeting up to 200 entities daily with phishing emails containing a malicious Remote Desktop Protocol (RDP) file, along with red-team testing tools. The objective was to take control of victim systems, either to steal sensitive data or plant malware within them. The volume of attacks during this peak period exceeded what similar threat groups like Pawn Storm typically accomplish over the course of multiple weeks.
These attacks involved tailored spear-phishing emails sent to the intended victims, containing a malicious or rogue RDP configuration file. Upon opening these files, the victim’s system would be directed to a remote system controlled by the attackers. The use of RDP configuration files facilitates remote access to enterprise systems by storing necessary settings for establishing connections.
Trend Micro’s research revealed that Midnight Blizzard utilized the open-source PyRDP tool to act as an adversart-in-the-middle proxy, redirecting connection requests from victim systems to domains and servers controlled by the attackers. This attack technique, known as ‘rogue RDP,’ involves an RDP relay, a rogue RDP server, and a malicious RDP configuration file. Victims of this technique unwittingly grant partial control of their machines to the attackers, resulting in potential data leaks and the installation of malware.
In August, Midnight Blizzard began setting up over 200 domain names to serve as part of the attack chain, along with 34 rogue RDP backend servers as part of their vast infrastructure. The domain names utilized by the threat group suggested targets in government and military entities from the US, Europe, Japan, Australia, and Ukraine, including ministries of foreign affairs, academic researchers, and military organizations. The scale and sophistication of the RDP campaign were significant, as noted by Trend Micro.
Midnight Blizzard has been identified by the US government as a cyber-espionage group associated with Russia’s foreign intelligence service. The group has been involved in several high-profile breach incidents, including security breaches at Microsoft, SolarWinds, HPE, and various US federal government agencies. Their tactics typically involve sophisticated spear-phishing emails, stolen credentials, and supply chain attacks to gain initial access to target systems. They also exploit vulnerabilities in widely used networking and collaboration tools from vendors such as Pulse Secure Citrix, Zimbra, and Fortinet.
One notable aspect of Midnight Blizzard’s approach is their use of legitimate pen testing and red-team tools to evade detection by endpoint security controls. By using tools like RDP and PyRDP, the threat group can operate covertly within compromised networks. Additionally, they often leverage resident proxy services, Tor, and VPNs to anonymize their activities for added stealth.
Unlike traditional malware-based attacks, Midnight Blizzard’s operations rely on malicious configuration files with dangerous settings, enabling them to conduct stealthy living-off-the-land operations that are more difficult to detect. Trend Micro recommends organizations to block outbound RDP connection requests and to blacklist RDP configuration files in email to mitigate the risk posed by this threat group.
In conclusion, the Midnight Blizzard cyber-espionage campaign demonstrates the level of sophistication and persistence of threat actors engaged in malicious activities. The need for enhanced cybersecurity measures and proactive defense strategies has never been more crucial in safeguarding sensitive data and critical infrastructure from such ongoing threats.