The leading advanced persistent threat group in Russia has been phishing thousands of targets in businesses, government agencies, and military institutions.
APT29 (also known as Midnight Blizzard, Nobelium, and Cozy Bear) is one of the world's most prominent threat actors. It is well known for the historic breaches of SolarWinds and the Democratic National Committee (DNC), which are carried out by the Russian Federation's Foreign Intelligence Service (SVR). It has recently breached Microsoft's codebase and political targets in Europe, Africa, and beyond.
"APT29 embodies the 'persistent' part of 'advanced persistent threat,'" notes Satnam Narang, senior staff research engineer at Tenable. "It has persistently targeted organizations in the United States and Europe for years, utilizing various techniques, including spear-phishing and exploitation of vulnerabilities to gain initial access and elevate privileges. Its modus operandi is the collection of foreign intelligence, as well as maintaining persistence in compromised organizations in order to conduct future operations.”
In the same vein, the Computer Emergency Response Team of Ukraine (CERT-UA) recently found APT29 phishing Windows credentials from government, military, and commercial sector targets in Ukraine. After comparing notes with authorities in other nations, CERT-UA discovered that the campaign had expanded across "a wide geography."
It is not surprising that APT29 would target sensitive credentials from geopolitically influential and diversified organisations, according to Narang. However, "the one thing that does kind of stray from the path would be its broad targeting, versus [its typical more] narrowly focused attacks.”
AWS and Microsoft
Malicious domain names that were intended to seem to be linked to Amazon Web Services (AWS) were used in the August campaign. The emails received from these domains simulated to give recipients advice on how to set up zero trust architecture and combine AWS with Microsoft services. Despite the charade, AWS stated that neither Amazon nor its customers' AWS credentials were the target of the attackers.
The attachments to those emails revealed what APT29 was really looking for: configuration files for Remote Desktop, Microsoft's application for implementing the Remote Desktop Protocol. RDP is a common remote access technique used by regular consumers and hackers.
"Normally, attackers will try to brute force their way into your system or exploit vulnerabilities, then have RDP configured. In this case, they're basically saying: 'We want to establish that connection [upfront],'" Narang added.
Launching one of these malicious attachments would have resulted in an immediate outbound RDP connection to an APT29 server. But that wasn't all: the files contained a number of other malicious parameters, such that when a connection was established, the perpetrator gained access to the target computer's storage, clipboard, audio devices, network resources, printers, communication (COM) ports, and more, as well as the ability to execute custom malicious scripts.