Russian Cozy Bear Hackers Phish Critical Sectors with Microsoft, AWS Lures

Microsoft has revealed that the Russian state-sponsored threat actor Cozy Bear (or APT29, UNC2452, and Midnight Blizzard) has launched a new phishing campaign targeting over 100 organizations worldwide, especially Ukraine, the United States and Europe.

The campaign, active since October 22, 2024, involves highly targeted emails designed to trick users into opening malicious files, ultimately granting the attackers access to sensitive information.

The attackers are mainly focusing on organizations in critical sectors such as government, defence, academia, and non-governmental organizations. This aligns with Cozy Bear’s previous pattern of targeting entities holding valuable intelligence.

Cozy Bear is using a never-before-seen approach involving signed Remote Desktop Protocol (RDP) configuration files. These apparently harmless files are sent as attachments in phishing emails, often disguised with lures related to Microsoft, Amazon Web Services (AWS), and the concept of Zero Trust. The emails are composed with sophistication, even impersonating Microsoft employees to enhance their credibility. Read the full story.

Rajesh Dhawan

Rajesh Dhawan is a technology professional who loves to write about Cyber-security events and stories, Cloud computing and Microsoft technologies. He loves to break complex problems into manageable chunks of meaningful information.