Sign in Subscribe
Cybersecurity

Microsoft Uncovers Russian Hackers Targeting Embassies in Moscow

Microsoft Uncovers Russian Hackers Targeting Embassies in Moscow

Microsoft has issued a warning about Russian-state hackers targeting foreign embassies in Moscow. These hackers are utilizing custom malware and adversary-in-the-middle (AitM) attacks at the ISP level. This campaign exploits ISPs in Russia, which are required to cooperate with the government, to intercept communication between embassies and their networks.

The threat group, known as Secret Blizzard, is leveraging its access to the ISP network to reroute targeted embassy communications to malicious websites that resemble legitimate sites. This method, known as AitM, positions attackers between the targeted entity and the websites they connect to.

Microsoft's recent assessment indicates that Secret Blizzard can operate at the ISP level within Russia. This finding suggests that diplomatic personnel using local telecommunications are likely targets. Secret Blizzard, active since 1996, is among the most sophisticated state-sponsored hacking groups and is linked to the Russian Federal Security Service.

The objective of this campaign is to install custom malware called ApolloShadow. This malware installs a TLS root certificate, allowing hackers to impersonate trusted websites within the infected embassy system. Microsoft observed attackers executing AitM tactics by leading targets to a captive portal that appears legitimate, urging them to download and execute ApolloShadow.

Upon execution, ApolloShadow examines system privileges. If lacking, it mimics a legitimate page to deliver a secondary payload that seeks to escalate privileges. ApolloShadow configures networks to appear private, easing potential future lateral movements within a network by hackers.

The malware's persistence allows attackers to maintain a foothold, enhancing their capabilities for intelligence gathering. Microsoft advises entities operating in Moscow, particularly sensitive and diplomatic organizations, to utilize encrypted traffic tunnels to trusted ISPs, mitigating the risk of interception.

Read next