Russian Hackers Target Ukrainian Military and Organizations with RDP Phishing Campaign

APT29, a hacking group also known as Cozy Bear that's believed to work directly under Russia's Foreign Intelligence Service (SVR), has been targeting industry and military in Ukraine by trying to impersonate Amazon Web Services (AWS).

One of APT29's favorite tactics is phishing for credentials belonging to government agencies, enterprises, and militaries, usually by trying to impersonate some official capacity. In this particular situation, the threat actors were trying to leverage the AWS name by impersonating their services.

The hackers sent phishing emails to various targets across Ukraine, addressing issues regarding the "integration" with Amazon services, Microsoft, and the implementation of Zero Trust Architecture (ZTA).

RPD Phishing Emails as Primary Vector

The purpose of the phishing emails was very clear: to collect credentials used for remote desktop connections and to establish RDP connections. The attachments contained a file with the extension '.rdp,' which, if opened, would establish an outgoing RDP connection with the attackers' server. 

"At the same time, taking into account the parameters of the RDP file, during such an RDP connection, the remote server was not only granted access to disks, network resources, printers, COM ports, audio devices, the clipboard and other resources on the local computer, but and the technical prerequisites for running third-party programs/scripts on the victim's computer could have been created," explained the Computer Emergency Response Team of Ukraine (CERT-UA). 

If the domain names used in the attacks are any indication, this operation has been in effect since August 2024. 

On the other hand, Amazon has also issued a statement acknowledging the CERT-UA's work and said that the company "initiated the process of seizing the domains APT29 was abusing, which impersonated AWS in order to interrupt the operation." 

"Some of the domain names they used tried to trick the targets into believing the domains were AWS domains (they were not), but Amazon wasn't the target, nor was the group after AWS customer credentials," Amazon also said.