Initial Access Tactics of Russian Cyber Threat Groups

This is a novel attack vector - #MidnightBlizzard, aka #CozyBear, aka #APT29, is using signed RDP config files in #spearphishing attacks, according to a new report from Microsoft Threat Intelligence. When opened, the config causes the victim to connect to an attacker-controlled RDP server, granting the attacker access to resources on the victim's local host including the filesystem, clipboard, and peripheral devices. The RDP is signed using LetsEncrypt certs, to add a perception of legitimacy, and the phishing emails are sent from previously compromised domains. The organization behind this is the Russian Foreign Intelligence Service (Sluzhba Vneshney Razvedki, or SVR), and they appear to be targeting government agencies, higher ed, defense, and NGOs in many countries, but particularly UK/Europe, Australia, and Japan. See the Microsoft report for a full description including mitigations and indicators, and hunt queries: https://lnkd.in/gJcAgKkD

THREAT CAMPAIGN: HOW APT44 EMPLOYED TOR-BASED C2 AND SSH/RDP BACKDOORS VIA EMBEDDED POWERSHELL SCRIPT IN A TROJANIZED ACTIVATION TOOL ℹ️ Researchers detail a cyber espionage campaign by the Russian-linked Sandworm APT group (a.k.a. APT44), targeting Ukrainian Windows users. The attackers distribute trojanized Microsoft Key Management Service (KMS) activation tools and fake Windows updates to deliver a malware loader named BACKORDER, which subsequently deploys the Dark Crystal Remote Access Trojan (DcRAT). This malware enables the exfiltration of sensitive data and facilitates cyber espionage activities. ℹ️ Key Points: 📍 DISTRIBUTION METHOD ■ The malicious KMS activators are disseminated through password-protected ZIP files on torrent platforms, masquerading as tools to bypass Windows licensing. This tactic exploits the prevalence of unlicensed software in Ukraine, where an estimated 70% of state sector software is unlicensed. 📍 MALWARE FUNCTIONALITY ■ Upon execution, the fake activator presents a counterfeit Windows activation interface while the BACKORDER loader operates covertly. BACKORDER disables Windows Defender, adds exclusion rules, and employs Living Off the Land Binaries (LOLBINs) to evade detection. ■ It then downloads and executes DcRAT, which collects data such as screenshots, keystrokes, browser credentials, FTP credentials, system information, and saved credit card details. Persistence is maintained through scheduled tasks that regularly launch the malicious payload. 📍 EMBEDDED POWERSHELL SCRIPT ■ Tor-based C2 enabled stealthy communication with infected hosts, obscuring attacker infrastructure and making detection difficult. ■ RDP backdoor setups ensured interactive control by enabling Remote Desktop, adding hidden user accounts, and modifying firewall rules to evade security monitoring. ■ OpenSSH deployment facilitated encrypted backdoor access, allowing attackers to bypass conventional authentication controls. This creates an additional remote channel for the attackers beyond the RDP backdoor. 📍 ATTRIBUTION TO SANDWORM ■ The campaign is linked to Sandworm based on factors including the use of ProtonMail accounts in WHOIS records, overlapping infrastructure, consistent TTPs, and the reuse of BACKORDER, DcRAT, and TOR network mechanisms. Additionally, debug symbols referencing a Russian-language build environment further support this attribution. ℹ️ This operation underscores the risks associated with using pirated software, particularly in regions with high rates of unlicensed software usage. By embedding malware in widely used programs, adversaries can conduct large-scale espionage, data theft, and network compromise, posing significant threats to national security and critical infrastructure. Report: https://lnkd.in/dTZDcNHV #threathunting #threatdetection #threatanalysis #threatintelligence #cyberthreatintelligence #cyberintelligence #cybersecurity #cyberprotection #cyberdefense

APT29, also known as Midnight Blizzard, Nobelium, and Cozy Bear, recently carried out targeted phishing campaigns aimed at European diplomatic and embassy personnel from August to October 2023. These campaigns involved the deployment of a custom malware named GrapeLoader, utilizing wine-themed phishing tactics. Intelligence agencies and cybersecurity experts have confidently linked APT29 to Russia’s Foreign Intelligence Service (SVR), highlighting the group's history of targeting government bodies, diplomatic offices, think tanks, and critical infrastructure sectors in North America and Europe. The latest GrapeLoader initiative showcases APT29's persistent use of advanced tactics, techniques, and procedures (TTPs) with a specific emphasis on collecting intelligence from diplomatic entities. Key Takeaways: +APT29 deployed the previously unknown GrapeLoader malware against EU diplomatic and embassy personnel using wine-themed phishing lures containing malicious OneNote attachments. +APT29 is attributed to Russia’s Foreign Intelligence Service (SVR) with high confidence based on technical indicators, victimology patterns, and intelligence assessments from multiple national security agencies. +The threat actor has a documented history of sophisticated campaigns including SolarWinds, SVR cloud-based attacks (MFA bombing), CISA/FBI-confirmed critical infrastructure targeting, and multiple operations against government entities. +GrapeLoader employed multi-stage deployment, DLL side-loading, and advanced obfuscation techniques consistent with APT29’s historical sophistication. +The primary objective appeared to be espionage and intelligence gathering against European diplomatic targets, aligned with Russia’s strategic interests.

Google Threat Intelligence Group released a report today revealing Russian APT44 (Sandworm) and other state-aligned actors are compromising Signal Messenger accounts to spy on Ukrainian military and government personnel. Our research outlines several tactics, including a technique that exploits Signal’s legitimate “linked devices” feature. If successfully exploited, it grants attackers access to the victim’s messages in real-time, making it difficult to detect and allowing for long-term surveillance. These attacks are often disguised as group invites, security alerts, and some even mimic military applications. Once the malicious QR code is scanned, it silently links the victim’s Signal account to a threat-actor controlled instance, allowing the threat actor to eavesdrop on the victim’s secure conversations in real-time; all without fully compromising the device. In response to these findings, the Signal team coordinated closely with GTIG to investigate this activity and subsequently pushed updates to Android and iOS to help protect against similar phishing campaigns in the future. Signal users should immediately update to the latest version of the app on their mobile devices to ensure they are protected by the latest security enhancements. ➡️ Read our full report here: https://lnkd.in/g5Kn62Qn

Major Cybersecurity Alert - Russian GRU Unleashes Sophisticated Campaign Against Western Supply Lines A devastating new intelligence report reveals how Russian military hackers have been systematically infiltrating the backbone of Western aid to Ukraine - targeting the very companies moving critical supplies across borders. The Scope is Staggering: • 85th Main Special Service Center (Unit 26165) - Russia's elite cyber warfare unit - has compromised dozens of logistics companies across 13 countries • Victims include major transportation hubs, ports, airports, maritime companies, and IT service providers • The operation spans from Bulgaria to the United States, with over 10,000 IP cameras hijacked to monitor aid shipments in real-time Their Methods: The hackers didn't just break into networks - they studied their targets like predators. They identified key personnel, mapped business relationships, and exploited trust between partner companies. Once inside, they accessed the most sensitive intelligence: train schedules, shipping manifests, container numbers, cargo contents, and exact travel routes of aid shipments to Ukraine. The Most Disturbing Discovery: Russians positioned themselves to watch everything. They compromised traffic cameras and private security cameras near border crossings and military installations. Camera targets were positioned to monitor aid flowing into the country. They could literally watch Western aid arrive and coordinate attacks accordingly. How They Got In: • Exploited Microsoft Outlook vulnerabilities to steal credentials • Used fake login pages impersonating government entities • Weaponized WinRAR file compression software • Conducted massive password-spraying campaigns • Even attempted voice phishing, calling victims while impersonating IT staff The Persistence Factor: Once inside corporate email systems, they manipulated mailbox permissions for sustained access, enrolled compromised accounts in multi-factor authentication to appear legitimate, and used legitimate Microsoft Exchange protocols to blend their data theft with normal business operations. Why This Matters: This isn't just corporate espionage - it's military intelligence gathering that directly threatens Ukrainian defense capabilities. Every compromised shipment manifest potentially enables Russian forces to target aid convoys, anticipate weapon deliveries, or disrupt critical supply chains. The investigation involved 15+ international intelligence agencies, highlighting how seriously Western governments view this threat. Organizations handling sensitive logistics or supporting Ukrainian aid efforts should immediately review their cybersecurity posture and monitor for the specific indicators outlined in this advisory. #CyberSecurity #Ukraine #Russia #NationalSecurity #Logistics

Bitdefender Labs, with support from Georgian CERT, discovered that 𝐂𝐮𝐫𝐥𝐲 𝐂𝐎𝐌𝐫𝐚𝐝𝐞𝐬 (𝐑𝐮𝐬𝐬𝐢𝐚𝐧 𝐀𝐏𝐓 𝐠𝐫𝐨𝐮𝐩) establish covert, long-term access to victim networks by abusing virtualization features (Hyper-V) on compromised Windows 10 machines. The attackers enabled the 𝐇𝐲𝐩𝐞𝐫-𝐕 role on selected victim systems (𝐖𝐢𝐧10) to deploy a minimalistic, 𝐀𝐥𝐩𝐢𝐧𝐞 𝐋𝐢𝐧𝐮𝐱-based virtual machine. This hidden environment, with its lightweight footprint (only 120MB disk space and 256MB memory), hosted their custom reverse shell, 𝐂𝐮𝐫𝐥𝐲𝐒𝐡𝐞𝐥𝐥, and a reverse proxy, 𝐂𝐮𝐫𝐥𝐂𝐚𝐭. By isolating the malware and its execution environment within a VM, the attackers created a hidden remote operating environment while effectively bypassing many traditional host-based EDR detections. Full research is available here: https://lnkd.in/eXAREngC

A Hacker Group Within Russia’s Notorious Sandworm Unit Is Breaching Western Networks A team Microsoft calls BadPilot is acting as Sandworm's “initial access operation,” the company says. And over the last year it's trained its sights on the US, the UK, Canada, and Australia Over the last decade, the Kremlin's most aggressive cyberwar unit, known as Sandworm, has focused its hacking campaigns on tormenting Ukraine, even more so since Russian president Vladimir Putin's full-scale invasion of Russia's neighbor. Now Microsoft is warning that a team within that notorious hacking group has shifted its targeting, indiscriminately working to breach networks worldwide—and, in the last year, has seemed to show a particular interest in networks in English-speaking Western countries. On Wednesday, Microsoft's threat intelligence team published new research into a group within Sandworm that the company’s analysts are calling BadPilot. Microsoft describes the team as an “initial access operation” focused on breaching and gaining a foothold in victim networks before handing off that access to other hackers within Sandworm’s larger organization, which security researchers have for years identified as a unit of Russia’s GRU military intelligence agency. After BadPilot's initial breaches, other Sandworm hackers have used its intrusions to move within victim networks and carry out effects such as stealing information or launching cyberattacks, Microsoft says. Microsoft didn't name any specific victims of BadPilot's intrusions, but broadly stated that the hacker group's targets have included “energy, oil and gas, telecommunications, shipping, arms manufacturing,” and “international governments.” On at least three occasions, Microsoft says, its operations have led to data-destroying cyberattacks carried out by Sandworm against Ukrainian targets. Microsoft warns that BadPilot has specifically exploited a vulnerability in the remote access tool Connectwise ScreenConnect and Fortinet FortiClient EMS, another application for centrally managing Fortinet's security software on PCs. After exploiting those vulnerabilities, Microsoft found that BadPilot typically installs software that gives it persistent access to a victim machine, often with legitimate remote access tools like Atera Agent or Splashtop Remote Services. In some cases, in a more unique twist, it also sets up a victim's computer to run as so-called onion service on the Tor anonymity network https://lnkd.in/gNKqqPP9 #cybersecurity #Russia #BadPilot #GRU #West #English #US #UK #Australia #Canada

Our threat intelligence team has identified and disrupted a watering hole campaign conducted by APT29 (also known as Midnight Blizzard), a threat actor associated with Russia’s Foreign Intelligence Service (SVR). Our investigation uncovered an opportunistic watering hole campaign using compromised websites to redirect visitors to malicious infrastructure designed to trick users into authorizing attacker-controlled devices through Microsoft’s device code authentication flow. This opportunistic approach illustrates APT29’s continued evolution in scaling their operations to cast a wider net in their intelligence collection efforts. More details in the blog linked here. https://lnkd.in/eq9p7_Nn