Russian-backed hacking group impersonating Microsoft, AWS in ‘highly targeted’ social engineering attacks with UK in crosshairs
Microsoft and Amazon Web Services (AWS) have warned of targeted attacks by a Russian-backed group impersonating staff of the two companies.
The group, tracked by Microsoft as Midnight Blizzard and by AWS as APT29, is known for carrying out hacks on organisations and individuals to gather intelligence on behalf of Russia’s Foreign Intelligence Service (SVR).
The group has been sending out “highly targeted spear-phishing emails” to individuals in government, academia, defence, non-governmental organisations, and other sectors since 22 October, Microsoft said in an advisory.
The emails appear to be sent from addresses gathered during previous compromises in order to appear more authentic, Microsoft said.
RDP attachment
They impersonate Microsoft or AWS employees and reference the concept of zero-trust as a social engineering lure.
Microsoft said it had tracked thousands of the emails sent to targets in more than 100 organisations.
They target dozens of countries, but particularly the UK, other European countries, Australia and Japan.
As a novel feature, the emails contain configuration file attachments for Remote Desktop Protocol (RDP) that attempt to establish a link from the user’s system to a remote attacker-controlled server.
The settings in the malicious attachment contain “several sensitive settings that would lead to significant information exposure”, Microsoft said.
Once a target system is compromised, it connects to the attacker’s server and bidirectionally maps the targeted user’s local device’s resources to the server.
Resources sent to the server may include all logical hard disks, clipboard contents, printers, connected peripheral devices, audio, and authentication features and facilities of Windows, including smart cards, Microsoft said.
This access would enable the attacker to install malware on the user’s local drives and mapped network shares or install tools such as remote access trojans to main access after the RDP session is closed.
“The process of establishing an RDP connection to the actor-controlled system may also expose the credentials of the user signed in to the target system,” the advisory stated.
Credential theft
Last week AWS said the group was targeting government agencies, companies, and militaries in an effort to steal credentials from Russian adversaries.
The campaign used Ukrainian-language emails and referenced AWS domains, while in reality attempting to steal Windows credentials through RDP, Amazon said.
Microsoft blamed Midnight Blizzard for an attack on its systems in January that allowed it to access emails and documents.
In June Microsoft president Brad Smith faced a US congressional panel to answer questions over that hack and another by China-linked hackers that accessed tens of thousands of corporate emails, as well as emails from US federal agencies and the Home Office that may have included authentication details.
Microsoft chief executive Satya Nadella asked the company’s board to reduce one of his incentives over the high-profile hacks, but his pay still soared 63 percent for Microsoft’s 2024 financial year.