Russian APT Earth Koshchei Exploits Red Team Tools in Massive RDP Campaign

A sophisticated Russian-linked APT group known as Earth Koshchei has conducted a massive remote desktop protocol (RDP) campaign targeting high-profile organizations, leveraging innovative red team tools and techniques to facilitate cyber espionage.

The campaign, extensively documented by Trend Micro researchers, revealed a complex attack methodology that exploited a rogue RDP technique originally described by Black Hills Information Security in 2022. By weaponizing legitimate red team tools, Earth Koshchei successfully compromised numerous government agencies, military organizations, think tanks, and academic research institutions.

The attack's core strategy involved sending carefully crafted spear-phishing emails containing malicious RDP configuration files. These files were designed to redirect victims' machines to attacker-controlled RDP servers through 193 strategically configured relays. This approach allowed the threat actors to gain partial control of targeted systems without deploying traditional malware, making the operation exceptionally stealthy.

Schema of how Earth Koshchei controls their infrastructure

Preparations for the campaign began as early as August 2024, with the group registering over 200 domain names mimicking legitimate organizations. The peak of the campaign occurred on October 22, 2024, when a massive wave of spear-phishing emails was sent to carefully selected targets. The infrastructure included 193 proxy domains and 34 rogue RDP backend servers, demonstrating significant operational sophistication.

A key component of the attack was the use of PyRDP, a Python-based man-in-the-middle tool that enabled attackers to intercept and manipulate RDP connections. By leveraging this tool, Earth Koshchei could automatically crawl redirected drives, exfiltrate data, and execute malicious commands without triggering traditional security alerts.

Setup of the RDP attack method

The group employed advanced anonymization techniques, including commercial VPN services, TOR networks, and residential proxies. This multi-layered approach made attribution challenging and allowed the attackers to mask their activities within legitimate network traffic. Approximately 90 unique IP addresses were identified in the email campaigns, routed through various anonymization layers.

Midnight Blizzard and Amazon have attributed the campaign to Midnight Blizzard (APT29), with indications suggesting links to Russia's Foreign Intelligence Service (SVR). The group's history of targeting Western governments and critical infrastructure underscores the strategic nature of their cyber operations.

The campaign's scale was unprecedented, with over 200 high-profile targets impacted in a single day. Targets included military organizations, government institutions, and academic research centers, primarily in Europe and Ukraine.

Security experts recommend several mitigation strategies:

The Earth Koshchei campaign demonstrates the evolving sophistication of state-sponsored cyber espionage, highlighting the critical need for organizations to remain vigilant and adaptive in their cybersecurity approaches.

Found this article interesting? Keep visit thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this. 

You may also like these articles: Here are the 5 most contextually relevant blog posts: