Russian Espionage Campaign Leverages RDP Files in Large-Scale Phishing Attack

A massive phishing campaign by Russia's foreign intelligence agency, SVR, is in its second week, targeting sectors like government, NGOs, academia, and defense, according to Microsoft. This operation, identified on October 22, marks a change in SVR's usual tactics, using remote desktop protocol (RDP) configuration files to gain access to victims' systems. The Midnight Blizzard APT group, also known as APT29 or Cozy Bear, distributed RDP files in phishing emails to thousands across more than 100 organizations. Once these RDP files are opened, they connect users' devices to servers controlled by the threat actors, exposing local resources such as hard disks, printers, and authentication features to potential malware installation. Microsoft, Ukraine's CERT-UA, and Amazon have flagged this campaign, noting emails were in Ukrainian and primarily targeted the UK, Europe, Australia, and Japan, sometimes impersonating Microsoft or other cloud providers. CERT-UA also suggested that the campaign’s setup may date back to August. While the exact success rate of the campaign remains unclear, Midnight Blizzard’s history shows a focus on collecting sensitive information, previously breaching Microsoft’s systems and accessing U.S. government emails. Read more...