Trend Micro warns that the Russian state-sponsored threat actor Earth Koshchei (also known as “APT29” or “Cozy Bear”) is using spear phishing emails to trick victims into connecting to rogue Remote Desktop Protocol (RDP) relays.
“Earth Koshchei’s rogue RDP campaign reached its peak on October 22, when spear-phishing emails were sent to governments and armed forces, think tanks, academic researchers, and Ukrainian targets,” Trend Micro explains.
“These emails were designed to deceive recipients into using a rogue RDP configuration file attached to the message. When opened, this RDP configuration file would instruct the target computer to try to connect to a foreign RDP server through one of the 193 RDP relays Earth Koshchei had set up.”
Trend Micro emphasizes that the scale of this spear phishing campaign dwarfed similar operations launched by other APT groups.
“The scale of the RDP campaign was huge: The number of high-profile targets – about 200 – we saw in one day was about the same size as another APT group like Pawn Storm targets in weeks,” the researchers write. “This was not the first time Earth Koshchei was linked to a massive spear-phishing campaign: In May 2021, they also sent spear-phishing emails to thousands of individual accounts.”
The threat actor registered more than 200 phishing domains in preparation for the campaign, and sent the spear phishing emails from legitimate but compromised email servers.
“In August 2024, the registered domain names suggested targeting against governments and military in Europe, the US, Japan, Ukraine, and Australia,” the researchers write. “At the end of this month, domain names were registered that look to be related to cloud providers and IT companies. Then, in September 2024, there were batches of domain names that appeared to be based on several think thanks and non-profit organizations. There were also several domain names related to online virtual platforms like Zoom, Google Meet, and Microsoft Teams.”
KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
Trend Micro has the story.