HQ/EMEAFind out how we can help your business
The Russian-backed advanced persistent threat group dubbed APT29 has launched a widespread phishing operation shifting away from its commonly employed targeted campaigns. The Kremlin’s foremost APT group has phished thousands of targets in various industries, including militaries, government agencies, and businesses.
APT29 is also widely known as the Cozy Bear threat group and could be one of the most renowned cybercriminal factions globally. It is best known for the historic breaches of SolarWinds and the Democratic National Committee, and it has recently breached Microsoft’s codebase and political targets in Europe, Africa, and elsewhere.
Additionally, this group has utilised multiple malicious techniques, especially spear-phishing and exploiting vulnerabilities to gain initial access and elevate privileges. Its primary strategy is to harvest foreign intelligence while preserving persistence in compromised organisations to execute future operations.
Similarly, CERT-UA recently found APT29 phishing Windows credentials from government, military, and commercial sector targets in Ukraine. After comparing notes with authorities in other nations, CERT-UA uncovered that the campaign had increased its targeted scope.
APT29 mimics AWS and Microsoft in executing a widespread data-stealing operation.
The APT29 attack began in August and used fraudulent domain names that appeared to be linked to Amazon Web Services (AWS). The emails received from these domains posed instructions on linking AWS with Microsoft services and achieving zero-trust architecture.
AWS stated that the attackers were not pursuing Amazon or its customers’ AWS credentials despite the impersonation. The attachments to those emails revealed that the gang was targeting configuration files for Remote Desktop and Microsoft’s application for implementing the Remote Desktop Protocol.
Launching one of these malicious attachments would have resulted in an immediate outbound RDP connection to an APT29 server. Furthermore, the files contained several other malicious parameters, such that when a connection was established, the attacker gained access to the target computer’s storage, clipboard, audio devices, network resources, printers, communication (COM) ports, and more, and the ability to execute custom malicious scripts.
APT29 may not have leveraged any legitimate AWS domains, but Amazon was nevertheless able to disrupt the effort by identifying and seizing the impersonation tactic.
Lastly, potential victims should take strict safeguards, including monitoring network logs for connections to APT29-related IP addresses and evaluating all outgoing connections to all IP addresses on the broader Web until the end of the month to avoid falling victim to this new scheme.
