APT29 Executes Large-Scale RDP Attack Campaign Focused on Espionage and Data Theft

A large-scale rogue Remote Desktop Protocol (RDP) campaign attributed to Earth Koshchei (also known as APT29, BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard, and The Dukes) was analyzed by Trend Micro. Their analysis adds to activity reported by Amazon, CERT-UA, and Microsoft, which had been attributed to APT29 in October 2024. Trend Micro’s attribution of the RDP campaign to APT29, based on associated TTPs, is given a "medium confidence level." This campaign, which peaked on October 22, 2024, utilized spear-phishing emails to deceive recipients into opening malicious RDP configuration files. These files instructed victims' machines to connect to foreign RDP servers via a network of "193 proxy servers and their domain names and 34 rogue RDP servers" controlled by APT29. Preparations for the campaign began as early as August 7-8, registering over 200 domains aimed at government, military, think tanks, technology, and cybersecurity sectors. The primary targets were located in Ukraine, with 28.5% of victims from government entities, 18.7% from think tanks and NGOs, and 11.4% from military organizations. APT29 has consistently targeted sectors related to telecommunications and research as well.

The attack methodology Trend Micro observed drew inspiration from Black Hills Information Security's report in 2022. Trend Micro noted that APT29's approach employed techniques inspired by red team methodologies. "They not only pay close attention to old and new vulnerabilities that help them in getting initial access, but they also look at the methodologies and tools that red teams develop." The campaign began with the distribution of spear-phishing emails containing an RDP configuration file. When executed, the file connected the target machine to a malicious RDP server set up by APT29. Trend Micro reported a large-scale operation, citing "about 200 high-profile targets" affected in a single day. Once the connection was established and redirected to a rogue backend server, the attackers used tools like PyRDP, a man-in-the-middle (MITM) proxy, to intercept the RDP session and gain control over the victim's machine. After the connection was made, APT29 executed scripts to modify system settings, enumerate directories, and exfiltrate sensitive data such as passwords, configuration files, and proprietary information. The attackers utilized the session to seamlessly browse file systems and extract data without installing traditional malware, making the operation difficult to detect.

This campaign emphasizes the persistent threat posed by APT29, which continues to refine its tactics, as evident from this RDP campaign. Organizations are urged to block outbound RDP connections to untrusted servers and scrutinize RDP configuration files to mitigate the risk of similar attacks. Trend Micro also shared their assessment: "We think that before the massive spear-phishing campaign on October 22, Earth Koshchei had more stealthy campaigns. This is evidenced by traces of data exfiltration through some of their RDP relays. The campaigns probably became less effective over time, so Earth Koshchei did one last scattergun campaign where most of the attacker's infrastructure got burned. This makes them a dangerous adversary that will use different methodologies to reach their goals."