Notorious Russia-linked threat actor Midnight Blizzard has targeted US officials with spearphishing attacks across a range of government and non-government sectors, new research shows.
Findings released by Microsoft Threat Intelligence Midnight Blizzard has been using these attacks to gather information since they were first spotted on October 22.
These campaigns have also been observed and confirmed by Amazon and the Government Computer Emergency Response Team of Ukraine.
Highly targeted spear phishing
The latest spearphishing attacks employ a strong social engineering aspect, relying on Microsoft, Amazon Web Services (AWS) and Zero Trust hooks to trick targets into opening Remote Desktop Protocol (RPD)-loaded files associated with emails are attached. These files essentially allow Midnight Blizzard to manage the target system’s functions and resources through a remote server.
Midnight Blizzard would also be able to gather significant information about affected devices by mapping the target’s local device resources, including information about “all logical hard drives, clipboard contents, printers, connected peripherals, audio, and authentication features and facilities of the Windows computers.” operating system, including smart cards.”
This assignment occurs every time the target device connects to the RDP server. The connection allows Midnight Blizzard to install Remote Access Trojans (RAT) to establish persistent access when the device is not connected to the RDP server.
As a result, Midnight Blizzard could install malware on both the target device and other devices on the same network, in addition to the possibility of credential theft during the RDP connection.
The campaign has so far targeted officials from government agencies, higher education, defense and non-governmental organizations in Britain, Europe, Australia and Japan. You can view the full details at Microsoft’s mitigation measures here.