Russian hackers using red team tools for large-scale espionage campaign

Russian state-controlled hackers have been using tools typically deployed by red teams to steal their victims’ data, according to researchers. 

In a large-scale espionage operation that began in October, the group known as APT29 used a Remote Desktop Protocol (RDP) — a legitimate tool used by cybersecurity professionals who simulate real-world attacks to test an organization’s defenses — in order to gain control over victims’ systems. 

According to a report by cybersecurity firm Trend Micro, which analyzed the campaign, the hackers used phishing emails to trick victims into opening malicious files which reconfigured their computers to connect to one of the group’s remote servers via RDP.

Among the victims of the campaign are governments, armed forces, think tanks, and academic researchers in Ukraine and Europe.

APT29, also known as Cozy Bear, Nobelium, BlueBravo and Midnight Blizzard, is allegedly sponsored by the Russian Foreign Intelligence Service (SVR). The group has previously targeted diplomatic, military, energy, telecom, and tech companies in Western countries. It has been implicated in several of the most consequential hacks of the last decade, including the 2020 SolarWinds hack and the 2016 attack on the Democratic National Committee.

According to Trend Micro, the hackers appear to have put significant effort into preparing for this latest campaign. Between August and October 2024, they registered more than 200 domain names linked to high-profile targets, including those likely connected to the Australian and Ukrainian governments.

This is not the first time APT29 has carried out a large-scale phishing campaign. In May 2021, they also sent malicious emails to thousands of individual accounts using a mass-mailing service.

Researchers suggest the hackers may have gotten the idea to exploit RDP for unauthorized access from a 2022 blog post by the information security company Black Hills, which provided a detailed explanation of this approach.

The attack method described by Black Hills involves using an open-source tool called PyRDP, which enables hackers to connect victims to a malicious server, granting access to their file systems. Once connected, attackers can browse directories, read or modify files, and inject malicious payloads.

“Notably, no malware is installed on the victim’s machines per se,” Trend Micro researchers said. “Instead, a malicious configuration file with dangerous settings facilitates this attack, making it stealthier as it uses tools and processes already present on the system.”

The final stage of the attack often involves data exfiltration, where the attackers extract sensitive information such as passwords, configuration files, proprietary data, or other confidential materials.

A similar campaign attributed to APT29 was also previously spotted by Microsoft and Ukraine’s computer emergency response team (CERT-UA). The researchers discovered malicious emails “sent to thousands of targets in over 100 organizations” that contained configuration files for RDP, which were connected to servers controlled by the hackers.

In some of the emails, the hackers impersonated Microsoft employees, while others used social engineering lures related to Microsoft and Amazon Web Services (AWS).

According to Trend Micro, the abuse of RDP servers is “a perfect example of an APT group utilizing red team toolkits to lessen their work on the attack itself, allowing them to focus more on targeting organizations with advanced social engineering.”

“It helps them ensure they can extract the maximum amount of data and information from their targets in the shortest time,” the researchers said.