Russia’s ‘Midnight Blizzard’ hackers target government workers in novel info-stealing campaign

Microsoft said Russia’s Foreign Intelligence Service (SVR) has targeted government workers over the last week with a tool that provides the hackers with full access to a victim’s device. 

In a blog post on Tuesday, Microsoft’s Threat Intelligence team said it has seen a Russian actor it tracks as Midnight Blizzard sending “highly targeted spear-phishing emails to individuals in government, academia, defense, non-governmental organizations, and other sectors” since October 22. 

The campaign is ongoing and Microsoft tracked emails “sent to thousands of targets in over 100 organizations.” The emails contained configuration files for Remote Desktop Protocol (RDP) that are connected to servers controlled by the hackers.

RDP attachments “contained several sensitive settings that would lead to significant information exposure.”

“Once the target system was compromised, it connected to the actor-controlled server and bidirectionally mapped the targeted user’s local device’s resources to the server,” Microsoft said, adding that a wide range of resources, including printers and clipboard contents, could be sent to the server.

Even security keys and point of sale devices could be affected by opening the RDP attachment. The access would allow hackers to install malware, map the victim’s network, install other tools and gain access to credentials.

Microsoft said it has seen the attackers target people in dozens of countries including the United Kingdom, Europe, Australia, and Japan. The hackers sent the phishing emails to email addresses “gathered during previous compromises.”

In some of the emails, the hackers tried to get victims to open them by impersonating Microsoft employees and others used social engineering lures relating to Microsoft, Amazon Web Services (AWS) and the concept of zero trust.

The campaign was particularly noteworthy because the use of RDP configuration files was a novel advancement in Midnight Blizzard’s tactics. Microsoft noted that both Amazon and the Government Computer Emergency Response Team of Ukraine have seen similar activity.

Last week, Amazon published a security brief warning that Russia’s Foreign Intelligence Service was targeting government agencies, companies, and militaries with a phishing campaign aimed at “stealing credentials from Russian adversaries.”

The hackers, which Amazon calls APT29, sent Ukrainian language phishing emails to “significantly more targets than their typical, narrowly targeted approach.” 

“Some of the domain names they used tried to trick the targets into believing the domains were AWS domains (they were not), but Amazon wasn’t the target, nor was the group after AWS customer credentials,” Amazon Chief Information Security Officer CJ Moses said.

“Rather, APT29 sought its targets’ Windows credentials through Microsoft Remote Desktop. Upon learning of this activity, we immediately initiated the process of seizing the domains APT29 was abusing which impersonated AWS in order to interrupt the operation.”

SVR hackers were previously behind a deep breach of Microsoft systems last November that gave them access to the company's corporate email environment — also exposing emails from several U.S. federal agencies that may have contained authentication details or credentials. 

In addition to more recent attacks on software companies like TeamViewer, the SVR has been behind some of the most consequential cyberattacks in U.S. history — including the 2020 SolarWinds hack and the 2016 attack on the Democratic National Committee.