Microsoft reported that the Russian Foreign Intelligence Service (SVR) conducted a series of attacks on government officials and employees of organizations in various countries, using a phishing campaign to install malware. The attacks, organized by the group Midnight Blizzard (the name the company uses for this hacker group), are aimed at government and non-governmental structures, as well as academic and defense institutions.
This information was reported by The Record.
Since October 22, hackers have been sending phishing emails containing Remote Desktop Protocol (RDP) files, connecting the victim's device to servers controlled by the attackers. Microsoft noted that these files contain confidential settings that can provide hackers with full access to the device and data. If the attachment is opened, hackers gain the ability to install malware, manage the victim's network, and even access peripheral devices such as printers and security devices.
The company claims that the attack is spreading to thousands of recipients across more than 100 organizations, including institutions in the UK, Europe, Australia, and Japan. To increase trust in the phishing emails, hackers sometimes impersonated Microsoft employees or used links to Amazon Web Services (AWS), exploiting the theme of "zero trust."
The use of RDP configuration files in the attack has become a new tactic for the Midnight Blizzard group. In addition to Microsoft, Amazon representatives have also made similar statements, confirming their observation of SVR hacker activity. Amazon has also begun the process of shutting down domains that hackers used for impersonation.