Microsoft issues warning for ongoing Russia-affiliated spear-phishing campaign
The threat actor behind the 2020 SolarWinds attacks has a new intelligence-gathering operation.
Microsoft has issued a warning about an ongoing spear-phishing campaign by a threat actor called Midnight Blizzard, which US and UK authorities previously linked to Russia's intelligence agency. The company said it discovered that the bad actor has been sending out "highly targeted spear-phishing emails" since at least October 22 and that it believes the operation's goal is to collect intelligence. Based on its observations, the group has been sending emails to individuals linked to various sectors, but it's known for targeting both government and non-government organizations, IT service providers, academia and defense. In addition, while it mostly focuses on organizations in the US and in Europe, this campaign also targeted individuals in Australia and Japan.
Midnight Blizzard has already sent out thousands of spear-phishing emails to over 100 organizations for this campaign, Microsoft said, explaining that those emails contain a signed Remote Desktop Protocol (RDP) connected to a server the bad actor controls. The group used email addresses belonging to real organizations stolen during its previous activities, making targets think that they're opening legitimate emails. It also used social engineering techniques to make it look like the emails were sent by employees from Microsoft or Amazon Web Services.
If someone clicks and opens the RDP attachment, a connection is established to the server Midnight Blizzard controls. It then gives the bad actor access to the target's files, any network drives or peripherals (such as microphones and printers) connected to their computer, as well as their passkeys, security keys and other web authentication information. It could also install malware in the target's computer and network, including remote-access trojans that it could use to remain in the victim's system even after the initial connection has been cut off.
The group is known by many other names, such as Cozy Bear and APT29, but you might remember it as the threat actor behind the 2020 SolarWinds attacks, wherein it had managed to infiltrate hundreds of organizations around the world. It also broke into the emails of several senior Microsoft executives and other employees earlier this year, accessing communication between the company and its customers. Microsoft didn't say whether this campaign has anything to do with the US Presidential Elections, but it's advising potential targets to be more proactive in protecting their systems.