Russia’s APT29 Phishing Campaign Targets Military, Political Entities in Multi-Country Operation

Russia’s APT29 Cyber Espionage Group Targeting Global Organizations

In a bold move, Russia’s infamous advanced persistent threat group, APT29, has launched a massive phishing campaign targeting militaries, public authorities, and enterprises worldwide. Also known as Midnight Blizzard, Nobelium, and Cozy Bear, APT29 has a long history of high-profile cyber attacks, including the infamous breaches of SolarWinds and the Democratic National Committee (DNC).

Recently, APT29 has expanded its reach by breaching Microsoft’s codebase and targeting political entities across Europe, Africa, and beyond. The group’s persistent targeting of organizations in the United States and Europe has raised concerns among cybersecurity experts.

According to Satnam Narang, a senior staff research engineer at Tenable, APT29’s modus operandi involves using various techniques like spear-phishing and vulnerability exploitation to gain access to sensitive information. This includes the collection of foreign intelligence and maintaining persistence in compromised organizations for future operations.

The Computer Emergency Response Team of Ukraine (CERT-UA) has discovered APT29 phishing Windows credentials from government, military, and private sector targets in Ukraine. This campaign, which dates back to August, utilized malicious domain names that impersonated Amazon Web Services (AWS) to trick recipients into downloading malicious attachments related to Microsoft’s Remote Desktop Protocol (RDP).

AWS managed to disrupt the campaign by seizing APT29’s malicious copycats, but CERT-UA advises organizations to monitor network logs for any suspicious connections and block RDP files at their email gateways to mitigate risks. Authorities are working diligently to counter APT29’s cyber activities and protect sensitive information.