Thousands of individuals in more than 100 government, defense, academic, and non-government organizations around the world have been targeted by Russian state-backed hacking group Midnight Blizzard, also known as APT29, in a spear-phishing campaign that has been ongoing since Oct. 22, reports The Record, a news site by cybersecurity firm Recorded Future.
Malicious emails delivered by attackers — who sometimes spoofed Microsoft employees or leveraged Microsoft- and Amazon Web Services-related social engineering lures — included Remote Desktop Protocol configuration files as attachments, which when executed established a connection between the targeted devices and the attacker-controlled server, according to a report from Microsoft's Threat Intelligence team. Threat actors could then proceed with malware deployment, network mapping, and credential compromise, researchers said. Such findings come after APT29 was reported by Amazon to have exploited thousands of AWS spoofing domains to exfiltrate credentials from Ukrainian-speaking targets. "Upon learning of this activity, we immediately initiated the process of seizing the domains APT29 was abusing which impersonated AWS in order to interrupt the operation," said Amazon Chief Information Security Officer CJ Moses.
