Midnight Blizzard Conducts Large-Scale Spear-Phishing Campaign Utilizing RDP Files

Summary

Since October 22, 2024, Microsoft Threat Intelligence has observed recorded activity of the Russian threat actor known as Midnight Blizzard conducting a sophisticated spear-phishing campaign aimed at individuals in various sectors, including government, academia, defense, and non-governmental organizations.

This ongoing activity involves sending highly targeted emails, which include a signed Remote Desktop Protocol (RDP) configuration file that connects to a server directly controlled by Midnight Blizzard. The emails often impersonate Microsoft employees and reference other cloud service providers to enhance credibility.

Midnight Blizzard, linked to the Russian Foreign Intelligence Service (SVR), has a history of targeting governmental and diplomatic entities, with a focus on intelligence collection. This campaign represents a new tactic for the actor, as it employs a signed RDP file to gain access to victims’ devices. Microsoft has noted overlapping activity reported by Ukraine’s CERT-UA and Amazon.

Midnight Blizzard is persistent in its operational methods, which include spear phishing, stolen credentials, and supply chain attacks. Known by several designations, including APT29 and Cozy Bear, the group aims to gather intelligence through advanced espionage techniques. Microsoft is notifying affected customers and providing security guidance to mitigate the threat. The campaign’s impact could lead to significant data exposure, as the RDP connection can allow the actor to access a range of resources on the target’s system, including files, peripherals, and authentication features. RH-ISAC is sharing this intelligence for Member community awareness, as the RH-ISAC Intelligence Team has previously reported on multiple campaigns pertaining to Midnight Blizzard. Microsoft has provided mitigation strategies and indicators of compromise, which are also included below for Member awareness.

Mitigations

Microsoft recommends the following mitigations to reduce the impact of Midnight Blizzard RDP Files:

Strengthen operating environment configuration

• Utilize Windows Firewall or Windows Firewall with Advanced Security to help prevent or restrict outbound RDP connection attempts to external or public networks external or public networks
• Require multifactor authentication (MFA). Implementation of MFA remains an essential pillar in identity security and is highly effective at stopping a variety of threats.
• Leverage phishing-resistant authentication methods such as FIDO Tokens, or Microsoft Authenticator with number matching. Avoid telephony-based MFA methods to avoid risks associated with SIM-jacking.
• Implement Conditional Access authentication strength to require phishing-resistant authentication for employees and external users for critical apps.
• Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and help blocks malicious websites, including phishing sites, scam sites, and sites that host malware.

Strengthen endpoint security configuration

• If you are using Microsoft Defender for Endpoint take the following steps:
  • Ensure tamper protection is turned on in Microsoft Defender for Endpoint.
  • Turn on network protection in Microsoft Defender for Endpoint.
  • Turn on web protection.
  • Run endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can help block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to help remediate malicious artifacts that are detected post-breach.
  • Configure investigation and remediation in full automated mode to let Microsoft Defender for Endpoint take immediate action on alerts to help resolve breaches, significantly reducing alert volume. 
• Microsoft Defender XDR customers can turn on the following attack surface reduction rules to help prevent common attack techniques used by threat actors.
  • Block executable content from email client and webmail
  • Block executable files from running unless they meet a prevalence, age, or trusted list criterion

Strengthen antivirus configuration

• Turn on cloud-delivered protection in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to help cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections help block a majority of new and unknown variants.
• Enable Microsoft Defender Antivirus scanning of downloaded files and attachments.
• Enable Microsoft Defender Antivirus real-time protection.

Strengthen Microsoft Office 365 configuration

• Turn on Safe Links and Safe Attachments for Office 365.
• Enable Zero-hour auto purge (ZAP) in Office 365 to help quarantine sent mail in response to newly acquired threat intelligence and retroactively neutralize malicious phishing, spam, or malware messages that have already been delivered to mailboxes.

Strengthen email security configuration

• Invest in advanced anti-phishing solutions that monitor incoming emails and visited websites. For example, Microsoft Defender for Office 365 merges incident and alert management across email, devices, and identities, centralizing investigations for email-based threats. Organizations can also leverage web browsers that automatically identify and help block malicious websites, including those used in phishing activities.
• If you are using Microsoft Defender for Office 365, configure it to recheck links on click. Safe Links provides URL scanning and rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email messages, other Microsoft 365 applications such as Teams, and other locations such as SharePoint Online. Safe Links scanning occurs in addition to the regular anti-spam and anti-malware protection in inbound email messages in Microsoft Exchange Online Protection (EOP). Safe Links scanning can help protect an organization from malicious links used in phishing and other attacks.
• If you are using Microsoft Defender for Office 365, use the Attack Simulator in Microsoft Defender for Office 365 to run realistic, yet safe, simulated phishing and password attack campaigns. Run spear-phishing (credential harvest) simulations to train end-users against clicking URLs in unsolicited messages and disclosing credentials.

Conduct user education

• Robust user education can help mitigate the threat of social engineering and phishing emails. Companies should have a user education program that highlights how to identify and report suspicious emails.

Indicators of Compromise

Email sender domains:

sellar[.]co.uk

townoflakelure[.]com

totalconstruction[.]com.au

swpartners[.]com.au

cewalton[.]com

RDP file names:

AWS IAM Compliance Check[.]rdp

AWS IAM Configuration[.]rdp

AWS IAM Quick Start[.]rdp

AWS SDE Compliance Check[.]rdp

AWS SDE Environment Check[.]rdp

AWS SDE Environment Check[.]rdp 

AWS Secure Data Exchange – Compliance Check[.]rdp

AWS Secure Data Exchange Compliance[.]rdp

Device Configuration Verification[.]rdp

Device Security Requirements Check[.]rdp

IAM Identity Center Access[.]rdp

IAM Identity Center Application Access[.]rdp

Zero Trust Architecture Configuration[.]rdp

Zero Trust Security Environment Compliance Check[.]rdp

ZTS Device Compatibility Test[[.]]rdp

RDP remote computer domains:

ap-northeast-1-aws.s3-ua[.]cloud

ca-central-1.gov-ua[.]cloud

ca-west-1.aws-ukraine[.]cloud

ca-west-1.ukrtelecom[.]cloud

central-2-aws.ua-sec[.]cloud

central-2-aws.ukrtelecom[.]cloud

eu-central-1.mfa-gov[.]cloud

eu-central-1.mil-pl[.]cloud

eu-central-1.mindef-nl[.]cloud

eu-central-1.quirinale[.]cloud

eu-central-1.s3-be[.]cloud

eu-central-1.s3-nato[.]cloud

eu-central-1.ua-sec[.]cloud

eu-central-1-aws.amazonsolutions[.]cloud

eu-central-1-aws.gov-pl[.]cloud

eu-central-1-aws.gov-trust[.]cloud

eu-central-1-aws.minbuza[.]cloud

eu-central-1-aws.msz-pl[.]cloud

eu-central-1-aws.ncfta[.]cloud

eu-central-1-aws.quirinale[.]cloud

eu-central-1-aws.s3-be[.]cloud

eu-central-1-aws.ua-gov[.]cloud

eu-central-2-aws.amazonsolutions[.]cloud

eu-central-2-aws.dep-no[.]cloud

eu-central-2-aws.gov-sk[.]cloud

eu-central-2-aws.mil-pl[.]cloud

eu-central-2-aws.msz-pl[.]cloud

eu-central-2-aws.presidencia-pt[.]cloud

eu-central-2-aws.s3-be[.]cloud

eu-central-2-aws.ua-mil[.]cloud

eu-east-1-aws.amazonsolutions[.]cloud

eu-east-1-aws.gov-sk[.]cloud

eu-east-1-aws.mil-be[.]cloud

eu-east-1-aws.minbuza[.]cloud

eu-east-1-aws.msz-pl[.]cloud

eu-east-1-aws.quirinale[.]cloud

eu-east-1-aws.s3-be[.]cloud

eu-east-1-aws.ua-gov[.]cloud

eu-east-1-aws.ukrtelecom[.]cloud

eu-north-1.gov-trust[.]cloud

eu-north-1.gv-at[.]cloud

eu-north-1.mil-pl[.]cloud

eu-north-1.ncfta[.]cloud

eu-north-1.s3-be[.]cloud

eu-north-1.s3-ua[.]cloud

eu-north-1-aws.difesa-it[.]cloud

eu-north-1-aws.gov-sk[.]cloud

eu-north-1-aws.mil-pl[.]cloud

eu-north-1-aws.ncfta[.]cloud

eu-north-1-aws.quirinale[.]cloud

eu-north-1-aws.s3-be[.]cloud

eu-north-1-aws.ua-energy[.]cloud

eu-south-1-aws.admin-ch[.]cloud

eu-south-1-aws.difesa-it[.]cloud

eu-south-1-aws.gov-trust[.]cloud

eu-south-1-aws.mil-be[.]cloud

eu-south-1-aws.mzv-sk[.]cloud

eu-south-1-aws.s3-be[.]cloud

eu-south-1-aws.ua-gov[.]cloud

eu-south-2.gov-pl[.]cloud

eu-south-2.mil-be[.]cloud

eu-south-2.mindef-nl[.]cloud

eu-south-2.s3-de[.]cloud

eu-south-2.s3-nato[.]cloud

eu-south-2.ukrainesec[.]cloud

eu-south-2-aws.dep-no[.]cloud

eu-south-2-aws.gov-sk[.]cloud

eu-south-2-aws.mil-be[.]cloud

eu-south-2-aws.mil-pt[.]cloud

eu-south-2-aws.msz-pl[.]cloud

eu-south-2-aws.ncfta[.]cloud

eu-south-2-aws.regeringskansliet-se[.]cloud

eu-south-2-aws.s3-de[.]cloud

eu-south-2-aws.s3-nato[.]cloud

eu-south-2-aws.ua-gov[.]cloud

eu-southeast-1-aws.aws-ukraine[.]cloud

eu-southeast-1-aws.difesa-it[.]cloud

eu-southeast-1-aws.gov-trust[.]cloud

eu-southeast-1-aws.mil-pl[.]cloud

eu-southeast-1-aws.msz-pl[.]cloud

eu-southeast-1-aws.mzv-sk[.]cloud

eu-southeast-1-aws.s3-be[.]cloud

eu-southeast-1-aws.s3-esa[.]cloud

eu-southeast-1-aws.ua-energy[.]cloud

eu-west-1.aws-ukraine[.]cloud

eu-west-1.gov-sk[.]cloud

eu-west-1.mil-pl[.]cloud

eu-west-1.msz-pl[.]cloud

eu-west-1.regeringskansliet-se[.]cloud

eu-west-1.s3-esa[.]cloud

eu-west-1.ua-gov[.]cloud

eu-west-1-aws.amazonsolutions[.]cloud

eu-west-1-aws.dep-no[.]cloud

eu-west-1-aws.gov-sk[.]cloud

eu-west-1-aws.gov-ua[.]cloud

eu-west-1-aws.mil-pl[.]cloud

eu-west-1-aws.quirinale[.]cloud

eu-west-1-aws.s3-de[.]cloud

eu-west-1-aws.s3-nato[.]cloud

eu-west-1-aws.ukrainesec[.]cloud

eu-west-2-aws.dep-no[.]cloud

eu-west-2-aws.gov-pl[.]cloud

eu-west-2-aws.gv-at[.]cloud

eu-west-2-aws.mil-pl[.]cloud

eu-west-2-aws.mindef-nl[.]cloud

eu-west-2-aws.mzv-sk[.]cloud

eu-west-2-aws.s3-be[.]cloud

eu-west-2-aws.s3-esa[.]cloud

eu-west-2-aws.s3-ua[.]cloud

eu-west-3.amazonsolutions[.]cloud

eu-west-3.mil-be[.]cloud

eu-west-3.minbuza[.]cloud

eu-west-3.msz-pl[.]cloud

eu-west-3.presidencia-pt[.]cloud

eu-west-3.s3-ua[.]cloud

eu-west-3.ukrtelecom[.]cloud

eu-west-3-aws.dep-no[.]cloud

eu-west-3-aws.gov-pl[.]cloud

eu-west-3-aws.gov-trust[.]cloud

eu-west-3-aws.mil-pl[.]cloud

eu-west-3-aws.minbuza[.]cloud

eu-west-3-aws.msz-pl[.]cloud

eu-west-3-aws.quirinale[.]cloud

eu-west-3-aws.s3-be[.]cloud

eu-west-3-aws.ua-mil[.]cloud

us-east-1-aws.s3-ua[.]cloud

us-east-1-aws.ua-sec[.]cloud

us-east-2.gov-ua[.]cloud

us-east-2.ukrainesec[.]cloud

us-east-2-aws.ua-gov[.]cloud

us-east-console.aws-ukraine[.]cloud

us-west-1.aws-ukraine[.]cloud

us-west-1.ua-gov[.]cloud

us-west-1-amazon.ua-energy[.]cloud

us-west-1-amazon.ua-sec[.]cloud

us-west-2.gov-ua[.]cloud

us-west-2.ua-sec[.]cloud

us-west-2-aws.s3-ua[.]cloud

ap-northeast-1-aws.ukrainesec[.]cloud

ca-central-1.ua-gov[.]cloud

ca-west-1.mfa-gov[.]cloud

central-2-aws.ua-mil[.]cloud

central-2-aws.ukrainesec[.]cloud

eu-central-1.difesa-it[.]cloud

eu-central-1.mil-be[.]cloud

eu-central-1.minbuza[.]cloud

eu-central-1.msz-pl[.]cloud

eu-central-1.regeringskansliet-se[.]cloud

eu-central-1.s3-esa[.]cloud

eu-central-1.ua-gov[.]cloud

eu-central-1.ukrtelecom[.]cloud

eu-central-1-aws.dep-no[.]cloud

eu-central-1-aws.gov-sk[.]cloud

eu-central-1-aws.mfa-gov[.]cloud

eu-central-1-aws.mindef-nl[.]cloud

eu-central-1-aws.mzv-sk[.]cloud

eu-central-1-aws.presidencia-pt[.]cloud

eu-central-1-aws.regeringskansliet-se[.]cloud

eu-central-1-aws.s3-ua[.]cloud

eu-central-1-aws.ukrainesec[.]cloud

eu-central-2-aws.aws-ukraine[.]cloud

eu-central-2-aws.gov-pl[.]cloud

eu-central-2-aws.mil-be[.]cloud

eu-central-2-aws.mindef-nl[.]cloud

eu-central-2-aws.mzv-sk[.]cloud

eu-central-2-aws.regeringskansliet-se[.]cloud

eu-central-2-aws.ua-gov[.]cloud

eu-central-2-aws.ukrtelecom[.]cloud

eu-east-1-aws.dep-no[.]cloud

eu-east-1-aws.gov-ua[.]cloud

eu-east-1-aws.mil-pl[.]cloud

eu-east-1-aws.mindef-nl[.]cloud

eu-east-1-aws.mzv-sk[.]cloud

eu-east-1-aws.regeringskansliet-se[.]cloud

eu-east-1-aws.s3-de[.]cloud

eu-east-1-aws.ua-sec[.]cloud

eu-north-1.difesa-it[.]cloud

eu-north-1.gov-ua[.]cloud

eu-north-1.mil-be[.]cloud

eu-north-1.mzv-sk[.]cloud

eu-north-1.regeringskansliet-se[.]cloud

eu-north-1.s3-de[.]cloud

eu-north-1-aws.dep-no[.]cloud

eu-north-1-aws.gov-pl[.]cloud

eu-north-1-aws.mil-be[.]cloud

eu-north-1-aws.minbuza[.]cloud

eu-north-1-aws.presidencia-pt[.]cloud

eu-north-1-aws.regeringskansliet-se[.]cloud

eu-north-1-aws.s3-de[.]cloud

eu-north-1-aws.ua-gov[.]cloud

eu-south-1-aws.dep-no[.]cloud

eu-south-1-aws.gov-pl[.]cloud

eu-south-1-aws.mfa-gov[.]cloud

eu-south-1-aws.minbuza[.]cloud

eu-south-1-aws.quirinale[.]cloud

eu-south-1-aws.s3-de[.]cloud

eu-south-2.dep-no[.]cloud

eu-south-2.gov-sk[.]cloud

eu-south-2.mil-pl[.]cloud

eu-south-2.s3-be[.]cloud

eu-south-2.s3-esa[.]cloud

eu-south-2.ua-sec[.]cloud

eu-south-2-aws.amazonsolutions[.]cloud

eu-south-2-aws.gov-pl[.]cloud

eu-south-2-aws.mfa-gov[.]cloud

eu-south-2-aws.mil-pl[.]cloud

eu-south-2-aws.minbuza[.]cloud

eu-south-2-aws.mzv-sk[.]cloud

eu-south-2-aws.quirinale[.]cloud

eu-south-2-aws.s3-be[.]cloud

eu-south-2-aws.s3-esa[.]cloud

eu-south-2-aws.s3-ua[.]cloud

eu-southeast-1-aws.amazonsolutions[.]cloud

eu-southeast-1-aws.dep-no[.]cloud

eu-southeast-1-aws.gov-sk[.]cloud

eu-southeast-1-aws.mil-be[.]cloud

eu-southeast-1-aws.mindef-nl[.]cloud

eu-southeast-1-aws.mzv-cz[.]cloud

eu-southeast-1-aws.quirinale[.]cloud

eu-southeast-1-aws.s3-de[.]cloud

eu-southeast-1-aws.s3-ua[.]cloud

eu-southeast-1-aws.ukrainesec[.]cloud

eu-west-1.difesa-it[.]cloud

eu-west-1.mil-be[.]cloud

eu-west-1.minbuza[.]cloud

eu-west-1.mzv-sk[.]cloud

eu-west-1.s3-de[.]cloud

eu-west-1.s3-ua[.]cloud

eu-west-1.ukrtelecom[.]cloud

eu-west-1-aws.aws-ukraine[.]cloud

eu-west-1-aws.gov-pl[.]cloud

eu-west-1-aws.gov-trust[.]cloud

eu-west-1-aws.mil-be[.]cloud

eu-west-1-aws.minbuza[.]cloud

eu-west-1-aws.s3-be[.]cloud

eu-west-1-aws.s3-esa[.]cloud

eu-west-1-aws.ua-sec[.]cloud

eu-west-2-aws.amazonsolutions[.]cloud

eu-west-2-aws.difesa-it[.]cloud

eu-west-2-aws.gov-sk[.]cloud

eu-west-2-aws.mil-be[.]cloud

eu-west-2-aws.minbuza[.]cloud

eu-west-2-aws.msz-pl[.]cloud

eu-west-2-aws.quirinale[.]cloud

eu-west-2-aws.s3-de[.]cloud

eu-west-2-aws.s3-nato[.]cloud

eu-west-2-aws.ua-sec[.]cloud

eu-west-3.aws-ukraine[.]cloud

eu-west-3.mil-pl[.]cloud

eu-west-3.mindef-nl[.]cloud

eu-west-3.mzv-sk[.]cloud

eu-west-3.s3-be[.]cloud

eu-west-3.ukrainesec[.]cloud

eu-west-3-aws.aws-ukraine[.]cloud

eu-west-3-aws.difesa-it[.]cloud

eu-west-3-aws.gov-sk[.]cloud

eu-west-3-aws.mil-be[.]cloud

eu-west-3-aws.mil-pt[.]cloud

eu-west-3-aws.mindef-nl[.]cloud

eu-west-3-aws.mzv-sk[.]cloud

eu-west-3-aws.regeringskansliet-se[.]cloud

eu-west-3-aws.s3-ua[.]cloud

us-east-1-aws.mfa-gov[.]cloud

us-east-1-aws.ua-gov[.]cloud

us-east-2.aws-ukraine[.]cloud

us-east-2.ua-sec[.]cloud

us-east-2-aws.gov-ua[.]cloud

us-east-2-aws.ukrtelecom[.]cloud

us-east-console.ua-energy[.]cloud

us-west-1.ua-energy[.]cloud

us-west-1.ukrtelecom[.]cloud

us-west-1-amazon.ua-mil[.]cloud

us-west-1-aws.gov-ua[.]cloud

us-west-2.ua-energy[.]cloud

us-west-2-aws.mfa-gov[.]cloud

us-west-2-aws.ua-energy[.]cloud