In October 2024, the well-known hacking group APT29 (also called Earth Koshchei or Midnight Blizzard) used a new trick called “rogue RDP” to attack various targets. These targets included government agencies, military organizations, think tanks, academic researchers, and especially Ukrainian groups.
What Is Rogue RDP?
Rogue RDP is a method where attackers create a fake Remote Desktop Protocol (RDP) connection to a victim’s computer. Normally, RDP is used by IT teams to remotely access and manage computers in a secure way. However, in this case, APT29 tricked users into connecting to attacker-controlled servers.
The setup involves three main parts:
- RDP Relay: A chain of servers that forward the victim’s RDP connection, hiding the attacker’s location.
- Rogue RDP Server: The fake RDP server run by the attackers, which gives them partial control over the victim’s machine once the victim connects.
- Malicious RDP Configuration File: A file sent via a phishing email. When opened, it directs the victim’s computer to the rogue RDP server through the RDP relay.
If victims have no security measures blocking outbound RDP traffic, or if they are in a less controlled environment (like working from home), the attacker can gain access. After that, the attackers can steal data, install malware, or carry out further harmful actions.
How the Attack Happened
On October 22, APT29 carried out a large wave of phishing emails that targeted many high-profile organizations. These emails contained a malicious RDP file designed to trick the recipients into connecting to the rogue RDP servers. If the victim’s company did not block outbound RDP or if the attackers used unusual ports to avoid detection, the attack had a higher chance of success.
It is believed that this big, loud attack on October 22 was the final stage of a longer, quieter effort. Before this date, APT29 likely tested the method on a smaller scale, fine-tuning their infrastructure and approach.
Infrastructure and Scale
Researchers discovered that APT29 used a large network of servers and domain names:
- 193 domains: These served as “front” servers that forwarded the victim’s RDP traffic.
- 34 backend RDP servers: These were the actual rogue RDP servers controlled by APT29.
By using many domains and multiple layers of relays, APT29 made it much harder for defenders to trace where the attacks were really coming from.
Using Red Team Techniques
One worrying part of this campaign is that APT29 used methods originally designed for “red teams.” Red teams are trusted cybersecurity experts who are allowed to test an organization’s defenses. The attackers took advantage of these publicly known techniques and tools, blurring the line between normal security testing methods and real malicious attacks.
How to Protect Your Organization
Defending against such attacks involves several steps:
- Block Outbound RDP Traffic: Limit or completely block RDP connections going out from your network, especially to unknown destinations.
- User Training and Email Filtering: Teach staff to recognize suspicious emails and attachments. Use email filtering tools to prevent dangerous files from reaching inboxes.
- Network Monitoring: Monitor outgoing network connections. Set alerts for unusual RDP traffic or connections to unfamiliar servers.
- Threat Intelligence and Indicators of Compromise (IOCs): Stay updated on known malicious domains, IP addresses, and techniques. Use these IOCs to detect suspicious activity quickly.
- Secure Remote Work Setups: If your team works remotely, ensure VPNs, firewalls, and endpoint security tools are properly configured to prevent unauthorized RDP connections.
APT29’s rogue RDP campaign shows how advanced attackers are constantly finding new ways to break into systems. By using familiar red team tactics and creative infrastructure, they make it harder for organizations to detect and stop their attacks.
The lesson is clear: organizations must keep improving their security controls, stay aware of new threat techniques, and regularly update their understanding of the latest attacker behaviors.
For a detailed report with technical findings, domains, IP addresses, and other in-depth data, read the full research report here.
