An espionage campaign targeting mainly European organizations has been linked to a Russian nation-state threat actor, who exploited lesser-known features of Microsoft Windows remote desktop protocol (RDP) to conduct cyber attacks. The group, known as UNC5837, was observed using RDP for reading victim drives, stealing files, and capturing clipboard data, according to the Google Threat Intelligence Group.
Unlike traditional RDP attacks focused on interactive sessions, this campaign utilized resource redirection to carry out malicious activities. Evidence suggests that the hackers may have used an RDP proxy tool like PyRDP to automate their operations. The campaign, originally disclosed by Amazon in October 2024, employed two lesser-known RDP features – deploying a malicious application and accessing data from victims, with a primary focus on European government and military entities.
The attacks began with phishing emails sent to victims regarding projects related to Amazon, Microsoft, and the Ukrainian State Secure Communications and Information Security Agency. These emails contained signed .rdp file attachments posing as applications relevant to the projects. When executed, the files established RDP connections from infected machines to the hackers’ command and control servers. The use of a web certificate to sign the .rdp file helped the attackers avoid detection.
In the subsequent stages of the attacks, the hackers deployed a malicious application disguised as an AWS Secure Storage Connection Stability Test on infected devices. The exact purpose of this application remains unclear, but it likely served as a phishing tool or a means to trick victims into enabling the file. Once activated, the hackers gained read and write access to victim devices, enabling them to steal files and extract clipboard data. Google suspects that the hackers may have leveraged PyRDP for automation, potentially to pilfer hashed passwords.
This campaign highlights the trend of threat actors weaponizing red teaming tools, originally designed for educational purposes, for malicious activities. To mitigate further attacks utilizing RDP, Google advises limiting file read activity on Windows devices, blocking outgoing RDP traffic to public IP addresses at the network level, and prohibiting .rdp file attachments in email communications.
In conclusion, the Russian nation-state threat actor’s espionage campaign targeting European organizations showcases the evolving tactics and strategies employed by cyber criminals. By exploiting lesser-known features of common protocols like RDP, hackers can infiltrate and extract valuable information from high-profile targets. It is essential for organizations to stay vigilant, update their security measures, and adopt best practices to defend against sophisticated cyber threats in today’s digital landscape.