Other
Midnight Blizzard Large-Scale RDP Spear-Phishing Campaign
Primary Source βIncident Details
From 22 October 2024, Midnight Blizzard targeted thousands of users across 100+ organizations in government, academia, defense, and NGOs in UK, Europe, Australia, and Japan. Emails used AWS and Zero Trust-themed lures. Malicious signed .rdp files, once opened, connected victims’ workstations to actor-controlled servers, enabling credential harvesting, file access, and malware installation. CISA issued an alert 31 October 2024. Intelligence collection was assessed as the primary objective. This followed Midnight Blizzard’s earlier January 2024 Microsoft corporate email breach.
Technical Details
- Initial Attack Vector
- Russian SVR-linked Midnight Blizzard (APT29/NOBELIUM) sent signed malicious RDP configuration files via spear-phishing email; RDP files connected targets' machines to attacker-controlled servers, mapping local resources for data theft and malware staging
Timeline
- 2024-10-22 Breach occurred
- 2024-10-29 Publicly disclosed