- Trend Micro Discovers Sophisticated Spear Phishing Campaign Targeting Military and Government Targets
- It uses nearly 200 RDP proxies to access endpoints
- The total number of victims reaches hundreds
An advanced persistent threat known as “Midnight” snowstormHAS launched large-scale spear phishing attacks targeting Western governments, military organizations, and academic researchers.
Cybersecurity researchers from Trend Micro revealed that the group used red team methods and anonymizing tools to steal sensitive data from the target’s IT infrastructure.
Researchers said in a report that the group used a rogue Remote Desktop Protocol (RDP) and a Python-based tool called PyRDP. The attack started with a spear phishing email containing a malicious RDP profile. If the victim runs it, it will connect to an attacker-controlled RDP server.
On the Russian payroll
The campaign used 34 malicious RDP backend servers and 193 proxy servers to redirect victim connections and mask attacker activity.
Once the victim is connected, the crook uses PyRDP to intercept the connection and act as a man-in-the-middle (MitM). Then, by gaining access to the target endpoint, the attacker can browse files, steal sensitive data, and more.
While the total number of victims for the entire campaign is unknown, Trend Micro said around 200 known victims were targeted in a single day, when the campaign peaked in late October 2024.
Victims include government and military organizations, think tanks and academic researchers, entities related to the Ukrainian government, cloud service providers, and entities related to the Dutch Ministry of Foreign Affairs.
Most of them are located in Europe, the United States, Japan, Ukraine and Australia.
More specifically, it is worth noting that Midnight Blizzard is also known as APT29, Earth Koschchei or Cozy Bear. This is a sophisticated advanced persistent threat organization funded by the Russian government and directly controlled by the Russian Foreign Intelligence Service (SVR). It is known for conducting cyber espionage operations mainly in Western countries.
through Computer beeps