Notorious Russian-linked threat actor Midnight Blizzard has targeted U.S. officials with spearphishing attacks across multiple government and non-government sectors, new research shows.
Findings released by Microsoft Threat Intelligence Midnight Blizzard has been using these attacks to gather intelligence since they were first spotted on October 22.
These campaigns have also been observed and confirmed by Amazon and Ukraine’s Government Computer Emergency Response Team.
Highly targeted spear phishing
The latest spearphishing attacks employ a strong social engineering element, using Microsoft, Amazon Web Services (AWS), and Zero Trust hooks to trick targets into opening Remote Desktop Protocol (RPD)-loaded files attached to emails. These files allow Midnight Blizzard to control the taretg system’s functions and resources via a remote server.
Midnight Blizzard is also said to be able to gather important information about compromised devices by mapping the target’s local device resources, including information about “all logical hard drives, clipboard contents, printers, attached peripherals, audio, and authentication functions and facilities of the Windows computers.” operating system, including smart cards.”
This assignment occurs each time the target device connects to the RDP server. The connection allows Midnight Blizzard to install Remote Access Trojans (RAT) to establish persistent access when the device is not connected to the RDP server.
As a result, Midnight Blizzard was able to install malware on both the target device and other devices on the same network, in addition to the possibility of credential theft during the RDP connection.
Sign up for the FactTimes newsletter and get all the best news, views, features and guidance your business needs to succeed!
The campaign has so far targeted government, higher education, defense and non-governmental organization officials in the UK, Europe, Australia and Japan. You can view the full details on Microsoft’s mitigation measures here.