Russia’s Foreign Intelligence Service (SVR) has launched a sophisticated hacking campaign targeting government workers worldwide, using a tool that grants hackers full access to compromised devices. Microsoft’s Threat Intelligence team reported that the SVR sent spear-phishing emails to thousands of targets in over 100 organizations since October 22.
The emails contained configuration files for Remote Desktop Protocol (RDP) that led to sensitive information exposure. Once a target system was compromised, hackers connected to their server and mapped local device resources, including printers, clipboard contents, security keys, and point-of-sale devices. This access allowed hackers to install malware, map networks, install other tools, and gain access to credentials.
The campaign has affected dozens of countries, including the UK, Europe, Australia, and Japan. Microsoft tracked emails sent to email addresses gathered during previous compromises, often impersonating Microsoft employees or using social engineering lures related to AWS and zero-trust concepts.
This campaign is notable for its use of RDP configuration files, a novel tactic by Russia’s Midnight Blizzard hackers. Amazon and the Government Computer Emergency Response Team of Ukraine have seen similar activity, with Amazon warning that the SVR was targeting government agencies and companies with phishing campaigns aimed at stealing credentials from Russian adversaries.
The SVR has been behind several high-profile cyberattacks in the US, including the 2020 SolarWinds hack and the 2016 attack on the Democratic National Committee. This latest campaign highlights the ongoing threat posed by Russia’s Foreign Intelligence Service to global cybersecurity.
Source: https://therecord.media/russia-midnight-blizzard-hackers-target-government-sector