October 30, 2024 at 08:48AM
Microsoft reports a two-week mass phishing campaign by Russia’s SVR, targeting over 100 organizations through novel techniques, including remote desktop protocol (RDP) configuration files. The campaign, which began on October 22, impersonates Microsoft and other providers, primarily affecting entities in the UK, Europe, Australia, and Japan.
### Meeting Takeaways
1. **Ongoing Phishing Campaign:**
– Microsoft has identified a mass phishing campaign attributed to Russia’s foreign intelligence services (SVR), specifically the APT group known as Midnight Blizzard.
– This campaign, ongoing for two weeks since October 22, targets governments, NGOs, academia, and defense organizations.
2. **Phishing Techniques:**
– Unlike previous tactics, the attackers are using RDP (Remote Desktop Protocol) configuration files as attachments in spearphishing emails.
– Thousands of individuals across more than 100 organizations have been targeted, indicating a shift from Midnight Blizzard’s usual highly targeted approach.
3. **Impact of RDP Files:**
– If executed, these RDP files create a connection to actor-controlled systems, exposing significant information from the victim’s side.
– Compromised systems could lead to malware installation and unauthorized access to sensitive data, including user credentials.
4. **Victim Profiles and Email Composition:**
– Most phishing emails were written in Ukrainian and primarily aimed at organizations in the UK, Europe, Australia, and Japan.
– Some emails impersonated Microsoft employees or other cloud providers to enhance legitimacy, focusing on integration issues with their services and zero trust architectures.
5. **Pre-campaign Planning:**
– Analysis of domain names used in the campaign suggests it may have been in planning stages since at least August 2023.
6. **Previous Incidents:**
– This activity follows earlier successful breaches attributed to Midnight Blizzard, including a significant breach of Microsoft’s own systems disclosed in January, which also compromised US government emails.
7. **Related Cybersecurity Issues:**
– There have been other significant breaches linked to the same unit within Russia’s SVR, affecting companies like HPE and TeamViewer, indicating an ongoing threat landscape that includes multiple actors and events.
8. **Information Security Coordination:**
– Similar findings have been noted by Ukraine’s CERT-UA and Amazon, highlighting the broader awareness and response to these cyber threats among industry players.
9. **Lack of Success Metrics:**
– As of now, there is no information regarding the success rate of these phishing attempts or the specifics of the data targeted by the attackers.
### Action Items
– Increase awareness and training on spotting phishing emails for personnel within affected organizations.
– Consider implementing more stringent email filtering and monitoring tools to combat similar attacks.
– Stay informed about updates from Microsoft, CERT-UA, and other cybersecurity organizations regarding ongoing threats and mitigation strategies.