Skip to main content
close search
site logo
Dive Brief

CISA warns of foreign threat group launching spearphishing campaign using malicious RDP files

Midnight Blizzard has targeted more than 100 organizations across government, IT and academia, in some cases impersonating Microsoft employees.

Published Nov. 1, 2024
David Jones's headshot
Reporter
CISA, cybersecurity, agency
CISA warns a threat group is using maiicious RDP files in a widespread spearphishing campaign against government, IT and other sectors. Photo illustration by Danielle Ternes/Cybersecurity Dive; photograph by yucelyilmaz via Getty Images

Dive Brief:

  • The Cybersecurity and Infrastructure Security Agency on Thursday said it has received multiple reports of a foreign threat actor targeting government and IT companies in a widescale spear-phishing campaign using malicious remote desktop protocol files. 
  • Microsoft Threat Intelligence linked the spear-phishing campaign to Midnight Blizzard in a Tuesday report, warning that emails were sent to thousands of targets. The emails were sent to more than 100 organizations in government, defense and academia, among others, and in some cases impersonated Microsoft employees to lend credibility.
  • AWS identified internet domains abused by the threat group, which is also known as APT29 and affiliated with Russia’s Foreign Intelligence Service, CJ Moses, CISO and VP of security engineering at Amazon wrote in a post last week. The phishing campaign was launched in Ukraine and design to steal credentials from Russian adversaries, Moses said.

Dive Insight:

Microsoft researchers first observed the spear-phishing attacks on Oct. 22, with targets across dozens of countries, but mainly focused on the U.K., Europe, Japan and Australia. 

Once the RDP attachments compromised the targeted victim, a connection was made to a server controlled by the threat actor, exposing sensitive information, including hard disks, clipboard information, printers and audio and connected peripheral devices. 

CISA warned that organizations should restrict outbound RDP connections, prohibit RDP files from being transmitted through email clients and webmail servers and also block the execution of RDP files by users. Organizations should also enable multifactor authentication and deploy phishing-resistant authentication services, such as FIDO tokens. 

Microsoft researchers said the goal of the campaign is likely to collect intelligence. The threat group was linked to the 2020 Sunburst attacks when it was known as Nobelium. 

Midnight Blizzard previously hacked into the accounts of senior Microsoft executives earlier this year and gained access to federal agencies in the U.S.

Filed Under: Cyberattacks

Editors' picks

Company Announcements

View all | Post a press release
Whalebone Wins 2024 CyberSecurity Breakthrough Award
From Whalebone
October 15, 2024
Traceable Releases 2025 State of API Security Report: API Breaches Persist as Fraud, Bot Attac…
From Traceable AI
October 30, 2024
Clay Platte Family Medicine Data Breach Investigation
From Migliaccio and Rathod LLP
October 21, 2024
Tech Ambitions Collide with Reality: 2025 Technology Impact Report Exposes Critical Readiness…
From Omnia Strategy Group, LLC
October 21, 2024
Editors' picks
Latest in Cyberattacks
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell