- Trend Micro detects sophisticated phishing campaign targeting military and government targets
- Uses almost 200 RDP proxies to access endpoints
- The total number of victims is in the hundreds
AN advanced persistent threat, known as Midnight Blizzard, has launched a large-scale phishing attack targeting governments, military organizations and academic researchers in the West.
The group leveraged red team methodologies and anonymization tools as it exfiltrated sensitive data from its target’s IT infrastructure, Trend Micro cybersecurity researchers revealed.
In a report, researchers said the group used a fraudulent remote desktop protocol (RDP) and a Python-based tool called PyRDP. The attack begins with a phishing email containing a malicious RDP configuration file. If the victim executes it, it connects to an RDP server controlled by the attacker.
On the Russian payroll
The campaign used 34 fraudulent RDP backend servers in combination with 193 proxy servers to redirect victims’ connections and mask the attackers’ activities.
Once the victim is connected, criminals use PyRDP to intercept the connection, acting as a man-in-the-middle (MitM). Then, with access to the target endpoints, attackers could explore files, exfiltrate sensitive data, and more.
While the total number of victims across the entire campaign is unclear, Trend Micro claims that approximately 200 high-profile victims were attacked on a single day when the campaign was at its peak in late October 2024.
The victims were government and military organizations, think tanks and academic researchers, entities related to the Ukrainian government, a cloud service provider, and entities associated with the Ministry of Foreign Affairs of the Netherlands.
Most of them are located in Europe, the United States, Japan, Ukraine and Australia.
To put things into more context, it’s worth noting that Midnight Blizzard is also known as APT29, Earth Koschchei, or Cozy Bear. It is a sophisticated advanced persistent threat group sponsored by the Russian government and under direct control of the Russian Foreign Intelligence Service (SVR). He is known for carrying out cyberespionage campaigns mainly in Western countries.
Through beepcomputer
