Microsoft Detects Russian State Malice Targeting Embassies
Microsoft has uncovered a campaign by Russian state-affiliated hackers targeting various foreign embassies in Moscow through the deployment of advanced custom malware. This campaign, which has been ongoing since the last year, makes use of adversary-in-the-middle (AitM) attacks, where the hackers intercept communications at the Internet Service Provider (ISP) level.
The hacker group, identified as Secret Blizzard by Microsoft, has been active since 1996 and is associated with the Russian Federal Security Service. This group uses its leverage over local ISPs to position themselves between embassies and their digital communications, redirecting targets to seemingly legitimate websites that are controlled by the attackers.
Objective: Install ApolloShadow
Microsoft's Threat Intelligence team has confirmed that Secret Blizzard is using their position to install a malware dubbed ApolloShadow. This malware installs a TLS root certificate to impersonate legitimate websites trusted by embassy users.
A phishing technique observed by Microsoft in February involved directing victims behind captive portals, which are commonly used for managing internet access in places like hotels and airports. This portal launches a legitimate service to check internet connectivity, tricking users into initiating the fake authentication process that leads to the download of the malware.
The malware exploits this process to display a certificate validation error and prompts users to download and execute ApolloShadow. If the system lacks necessary administrative rights, it deceives users by masquerading as a legitimate installer to gain elevated privileges to alter network settings.
Once ApolloShadow obtains adequate system rights, it categorizes network connections as private, thus potentially relaxing firewall rules and facilitating malicious operations. Secret Blizzard’s main aim appears to be maintaining persistence for intelligence gathering purposes, especially targeting diplomatic personnel.
Microsoft has advised organizations operating in Moscow to use encrypted tunnels for their internet traffic to mitigate these threats. This method is essential in safeguarding sensitive communications against these sophisticated adversarial tactics.
