In a striking display of cyber sophistication, the advanced persistent threat (APT) group Earth Koshchei, also tracked as APT29 or Midnight Blizzard, has been linked to a massive rogue Remote Desktop Protocol (RDP) campaign.
Earth Koshchei employs innovative tactics and red team tools in this campaign for espionage and data exfiltration using anonymization layers like commercial VPN services, TOR, and residential proxies to mask their operations, enhance their stealthiness, and complicate attribution efforts.
This recent operation, which peaked in October 2024, targeted governments, military organizations, think tanks, academic researchers, and Ukrainian entities, among others.
The group leveraged spear-phishing emails and advanced anonymization techniques, raising serious concerns across cybersecurity communities.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free
How Does the Attack Work?
Earth Koshchei’s campaign employed a multi-layered attack strategy. At the heart of this operation was a malicious RDP configuration file embedded in spear-phishing emails.
When unsuspecting recipients opened the file, their devices attempted to connect to rogue RDP servers through one of 193 relays set up by the attackers.
The attack relied on a methodology dubbed “rogue RDP,” described in detail back in 2022 by Black Hills Information Security. This technique used an RDP relay, a rogue server, and malicious configurations.
Through tools like the Python Remote Desktop Protocol man-in-the-middle (MITM) framework (PyRDP), attackers intercepted and manipulated RDP connections to gain partial control over victims’ machines.
This allowed for data exfiltration, file browsing, and even the execution of malicious applications—all without deploying traditional malware.
The scale of Earth Koshchei’s campaign was remarkable. Between August and October 2024, the group registered over 200 domains, many of which mimicked the identities of targeted organizations such as governments, IT firms, and research institutions.
Key preparation activities included setting up 34 rogue backend RDP servers, which served as the central command point for their operations.
According to a cybersecurity firm Trend Micro report, the spearphishing wave on October 22 was likely the culmination of earlier, quieter campaigns. These stealthy efforts included testing the infrastructure and targeting specific entities.
The October 22 campaign marked a massive escalation, targeting about 200 high-profile victims in just one day an activity scale comparable to what other APT groups might complete in weeks.
Earth Koshchei’s motives appear to be primarily espionage. The group, allegedly linked to Russia’s Foreign Intelligence Service (SVR), has a history of targeting diplomatic, military, energy, telecom, and IT sectors in Western countries.
Its latest campaign aligns with this pattern, with victims including ministries of foreign affairs, military organizations, and academic researchers.
The use of anonymization layers such as TOR, commercial VPNs, and residential proxies made detection and attribution challenging.
These tactics allowed the attackers to obscure their activities while exploiting compromised email servers to distribute phishing emails. Such routers and proxies added another dimension of complexity to the operation.
A Red Team Blueprint Turned Malicious
Security experts highlighted that Earth Koshchei’s rogue RDP tactic likely drew inspiration from red team methodologies devised to strengthen organizational defenses.
The attackers effectively weaponized these techniques, demonstrating how innovations in cybersecurity can be repurposed for malicious ends.
For instance, one analyzed RDP configuration file redirected victims to a malicious server posing as an Amazon Web Services (AWS) instance.
The file also exploited features like drive redirection and resource sharing to extract sensitive data stealthily. During the October attack wave, an estimated three key organizations had data exfiltrated, including two military entities and a cloud provider.
Attribution and Implications
While definitive attribution remains complex, Trend Micro and other firms have linked the campaign to Earth Koshchei with medium confidence, citing the group’s distinctive tactics, techniques, and procedures (TTPs).
Both Microsoft and Amazon previously attributed similar attacks to APT29/Midnight Blizzard, bolstering these findings.
The campaign signals a troubling trend: the growing use of legitimate tools and methodologies, such as red team techniques, for malicious purposes.
This evolution underscores the need for advanced cybersecurity measures, including blocking non-trusted outbound RDP connections and prohibiting the transfer of suspicious configuration files over email.
Organizations are urged to strengthen their defenses against attacks of this nature. Blocking outbound RDP connections to untrusted servers, monitoring for malicious configuration files, and leveraging threat intelligence platforms like Trend Micro Vision One are critical steps toward mitigating risks.
Trend Micro has classified the malicious RDP configuration files used in the campaign as Trojan.Win32.HUSTLECON.A.
The company’s global threat intelligence network continues to provide actionable insights to help organizations stay ahead of evolving cyber threats.
The SOC (Security Operations Center) and DFIR (Digital Forensics and Incident Response) teams can utilize the provided indicators of compromise (IOCs) to identify and analyze potential malicious activity within their environments.
2024 MITRE ATT&CK Evaluation Results Released for SMEs & MSPs -> Download Free Guide