HQ/EMEAFind out how we can help your business
A Russia-linked hacking group, known as APT29 or Earth Koshchei, has been observed targeting high-profile victims using a sophisticated attack method that exploits Remote Desktop Protocol (RDP) servers.
This group, which has previously focused on espionage campaigns, is now utilising a previously documented technique involving malicious RDP configuration files to compromise systems. The campaign has primarily targeted governments, military forces, think tanks, academic researchers, and entities based in Ukraine.
The attackers’ method centres on tricking their victims into opening spear-phishing emails containing a malicious RDP configuration file. Once launched, this file establishes a connection to a foreign RDP server controlled by the attackers.
Notably, this technique relies on using an open-source tool called PyRDP, a Python-based tool designed to intercept and redirect RDP connections. The tool acts as a middleman between the victim’s machine and the malicious server, thereby reducing the likelihood of detection. The connection ultimately redirects to a rogue server that mimics the behaviour of a legitimate RDP server, enabling the attackers to exploit the session and carry out various malicious activities.
Once APT29 has access to the victim’s system, they can deploy scripts, manipulate system settings, and perform file operations.
The attackers also gain the ability to inject malicious payloads into the victim’s system, allowing them to steal data, including login credentials and proprietary information. What makes this method particularly concerning is the fact that it does not require the deployment of custom malware, which allows the attackers to operate under the radar, avoiding detection by traditional security measures.
The campaign, which is believed to have begun in early August 2024, has seen the attackers target as many as 200 high-profile victims in a single day. The scale of the operation highlights the group’s resourcefulness and strategic planning. Moreover, to maintain anonymity, the group uses TOR exit nodes, residential proxy providers, and commercial VPN services, allowing them to hide their activities while controlling the RDP servers and sending phishing emails.
This new approach by Earth Koshchei (APT29) showcases their ability to adapt and innovate by leveraging old and new vulnerabilities, as well as the methodologies used by red teams for penetration testing. Their focus on using legitimate tools and techniques enables them to carry out sophisticated espionage campaigns with minimal risk of detection, posing a significant threat to targeted organisations and individuals.
As this campaign continues to unfold, it emphasises the danger of cyberattacks, particularly those linked to state-sponsored groups.
