APT29 Hackers Target High-Value Victims Using Rogue RDP Servers and PyRDP
Russian state-sponsored hacking group APT29 has adopted an innovative attack strategy using manipulated Remote Desktop Protocol (RDP) configurations to target governments, military organizations, think tanks, and Ukrainian entities.
The sophisticated campaign, discovered by Trend Micro researchers, repurposes legitimate red team testing methods to compromise high-value targets through carefully crafted spear-phishing emails containing malicious RDP configuration files.
When victims open these files, their machines initiate connections to attacker-controlled servers through a network of 193 RDP relay points. The hackers leverage PyRDP, an open-source tool that acts as a "Monster-in-the-Middle" proxy, to intercept and manipulate these RDP sessions while avoiding detection.
The scale of the operation became apparent when approximately 200 high-profile targets were attacked in a single day. The threat actors carefully masked their activities by routing traffic through TOR exit nodes, residential proxies, and commercial VPN services.
"A victim of this technique would give partial control of their machine to the attacker, potentially leading to data leakage and malware installation," noted researchers Feike Hacquebord and Stephen Hilt from Trend Micro.
The attack methodology allows APT29 to:
- Deploy malicious scripts
- Alter system settings
- Access victim systems
- Perform unauthorized file operations
- Extract sensitive data and credentials
What makes this campaign particularly dangerous is that it accomplishes data theft without deploying custom malware, making traditional detection methods less effective. The attack relies solely on manipulating legitimate RDP functionality through malicious configuration files.
The campaign, which began in August 2023, demonstrates APT29's ability to adapt and incorporate new attack methodologies. Multiple cybersecurity organizations, including Ukraine's CERT-UA, Microsoft, and AWS, have issued alerts about these activities.
This latest evolution in APT29's tactics highlights how state-sponsored threat actors continue to innovate by studying and adopting techniques developed by security researchers and red teams.