Skip to content

Russian-linked APT29 launches espionage campaign via RDP

  • by
  • 3 min read

Illustration: Supimol Kumying | Shutterstock

Earth Koshchei, also known as APT29 or Midnight Blizzard, launched a massive cyber espionage campaign in October 2024. Using methodologies originally devised for red team penetration testing, the Russian-backed group deployed a rogue remote desktop protocol (RDP) attack that targeted high-profile entities, including governments, military, IT firms, think tanks, NGOs, banks, energy and academic institutions globally.

The attack leveraged a methodology known as rouge RDP, which was detailed in 2022. This method exploits an RDP relay, rogue server, and malicious configuration files to establish control over victim systems.

Victims unknowingly connect their systems to hostile servers via tampered RDP configuration files distributed through spear-phishing emails. Once connected, attackers access local drivers, printers, and other devices, enabling data exfiltration and system compromise without deploying traditional malware.

Setup of the RDP attack method. | Source: Trend Micro

This approach relies on man-in-the-middle (MITM) proxies, such as the Python-based PyRDP tool, which interests and redirects RDP connections to rogue servers. The methodology minimises user warnings, disguising the attack as legitimate communication to ensure stealth and efficiency.

Researchers found that Earth Koshchei’s rogue RDP campaign peaked on October 22, targeting various government, non-government, and private entities, with a significant focus on Ukrainian entities. The group used spear-phishing emails with malicious RDP configuration files to trick recipients into establishing connections with one of 193 RDP relays controlled by Earth Koshchei.

The attack infrastructure included:

  • 193 proxy domains masking 34 rogue RDP backend servers.
  • Extensive anonymisation layers, including Tor networks, VPN services, and residential proxies, to evade detection and attribution.
  • Compromised email servers to deliver phishing payloads, ensuring plausible legitimacy.

The campaign’s scale dwarfed previous efforts, with 200 high-profile targets reached in a single day — far surpassing typical APT attack volumes.

Number of malicious domains per industry. | Source: Trend Micro

The rogue RDP methodology enabled Earch Koshchei to conduct extensive data exfiltration and potentially deliver payloads with impunity. Microsoft, Amazon, and CERT-UA attributed the campaign to Midnight Blizzard/APT29.

Researchers discovered that the threat group utilised advanced anonymisation techniques, including Tor exit nodes, residential proxies, and cryptocurrency-funded VPNs. Also, this infrastructure supports a blend of targeted and scattergun campaigns, with evidence of stealthy operations preceding the October 22 blitz.

“Earth Koshchei uses new methodologies over time for their espionage campaigns. They not only pay close attention to old and new vulnerabilities that help them in getting initial access, but they also look at the methodologies and tools that red teams develop,” researchers concluded.

Researchers have advised users and institutions to block outbound RDP connections to untrusted servers, restrict the transmission of RDP configuration files, and deploy enhanced detection methods to identify and neutralise suspicious RDP activities.

In the News: Irish data protection slaps Meta with €251 fine for 2018 data breach

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>