European Military & Government Data Networks Targeted

A Russian threat group is using sophisticated phishing methods to attack European governments and military data networks using Remote Desktop Protocol (RDP) to compromise systems.  

The attack, identified by Google’s Threat Intelligence Group (GTIG) as UNC5837, exploits two lesser-known RDP features: resource redirection and RemoteApps. RemoteApps is a virtual application solution that allows users to run Windows-based applications regardless of what operating system they are using.

While RDP is often used for legitimate remote connections, this campaign bypasses typical RDP takeover techniques. Instead of visibly hijacking screens, the attackers quietly access the victim’s data through these advanced features. RDP’s resource redirection allows attackers to map files from the compromised system directly to their own servers. RemoteApps lets them run an attacker-controlled application that appears as a normal program on the victim’s screen, concealing the malicious activity. 

This method provides the attackers with unrestricted access to sensitive files, clipboard data (which may contain passwords or other credentials), and even live inputs from the victim’s system.

The phishing element of the attack is equally insidious. Victims receive emails that appear to be from a legitimate collaboration between Amazon, Microsoft, and the Ukrainian government.  These emails contain a seemingly benign attachment labelled “AWS Secure Storage Connection Stability Test.” 

In reality, the attachment, is an .rdp file signed with a valid Let’s Encrypt certificate, which causes the victim’s system to launch an outbound RDP session to a remote server controlled by the attackers. 

Once the .rdp file is opened, the attackers are granted direct access to the victim’s system without triggering firewall alerts. This allows them to silently monitor activities, steal sensitive information, and even control system peripherals like printers and audio devices.

Research suggests that RDP-based intrusions are increasingly being linked to ransomware attacks and other malicious activities.

Google says that these phishing attacks are part of a broader trend used by the Russian cyber groups targeting organisations across critical sectors and highlights the growing threat posed by Advanced Persistent Threats (APTs).

This delivers a clear warning that organisations must implement stronger security measures to guard against such highly effective cyber attacks.

Google   |   Google   |  I-HLS   |   Techradar  |   Secrurity Affairs  | 

 Image: Ideogram

You Might Also Read: 

President Trump Says Russia Is Not A Cyber Threat:


If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible



 

« Chinese Hackers Undertaking A Global Infiltration Campaign 
Quantum Computing Utility Will Be Achieved Within A Decade »

ManageEngine
CyberSecurity Jobsite
Check Point

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

CERT.at

CERT.at

CERT.at is the Austrian national Computer Emergency Response Team.

KFSensor

KFSensor

KFSensor is an advanced 'honeypot' intrusion and insider threat detection system for Windows networks.

Namogoo

Namogoo

Namogoo’s disruptive technology identifies and blocks unauthorized product ads that are injected into customer web sessions by client-side Digital Malware.

Ingenio Global

Ingenio Global

Ingenio is a specialist recruitment business for SaaS companies. Our purpose is to source exceptional talent in areas including cyber security for leading SaaS companies in the UK and Ireland.

DFI

DFI

DFI is a global leading provider of high-performance computing technology across multiple embedded industries.

Informer

Informer

Informer provides an Attack Surface Management SaaS platform alongside penetration testing services. We combine machine learning and human intelligence to reduce cyber risk.

Pelion IoT

Pelion IoT

Pelion Connected Device Services are the easiest way to securely connect and manage your devices, allowing you to focus on forging your future.

Illuma Labs

Illuma Labs

Illuma Labs delivers real-time voice authentication and fraud prevention solutions.

NI Cyber Security Centre

NI Cyber Security Centre

NI Cyber Security Centre works to make Northern Ireland cyber safe, secure and resilient for its citizens and businesses.

Datastream Cyber Insurance

Datastream Cyber Insurance

DataStream Cyber Insurance is designed to give SMB’s across the US greater confidence in the face of increasing cyber attacks against the small and medium business community.

Orpheus Cyber

Orpheus Cyber

Orpheus Cyber provides predictive and actionable intelligence to our clients - enabling them to anticipate, prepare for and respond to the cyber threats they face.

Druva

Druva

Druva is the industry’s leading SaaS platform for data resiliency, and the only vendor to ensure data protection across the most common data risks backed by a $10m guarantee.

ViewDS Identity Solutions

ViewDS Identity Solutions

ViewDS Identity Solutions develops innovative identity software including cloud identity management solutions, directory services, access and authorization management solutions.

Strategic Technology Solutions (STS)

Strategic Technology Solutions (STS)

Strategic Technology Solutions specialize in providing Cybersecurity and Managed IT Services to the legal industry.

ThreatView by Turaco Labs

ThreatView by Turaco Labs

ThreatView combines extensive experience in digital forensics with advanced analytics and threat detection capabilities to protect eCommerce websites.

System Two Security

System Two Security

System Two Security automates detection engineering and threat hunting.