Sign in Subscribe
Cybersecurity

Microsoft Uncovers Hacker Targeted Embassies

Microsoft Uncovers Hacker Targeted Embassies

Microsoft has uncovered a sophisticated campaign by Russian-state hackers, aiming at foreign embassies in Moscow through custom malware installations. Using adversary-in-the-middle (AiTM) attacks that operate at the internet service provider (ISP) level, the hackers pose a significant threat, as reported by Microsoft on Thursday.

In a campaign ongoing since last year, the group, known as Secret Blizzard, exploits the cooperation required by ISPs with the Russian government. Utilizing the control over the ISP networks, Secret Blizzard strategically positions itself between embassies and their endpoints, redirecting traffic to malicious websites that mimic known and trusted sites.

Their primary objective is to deploy malware known as ApolloShadow, designed to install a TLS root certificate for cryptographic impersonation of trusted websites accessed by embassy systems. Microsoft's reports confirm Secret Blizzard's capability of conducting cyber operations at the ISP level, targeting diplomatic personnel using local services.

Active since at least 1996, Secret Blizzard is part of the Russian Federal Security Service, tracked under various names and recognized for its global illicit cyber operations. Through AiTM attacks, such as those observed in February, unsuspecting targets are redirected to actor-controlled domains, leading to credential theft and unauthorized software installations.

Microsoft has observed an increase in these attacks, which start by misdirecting users via a captive portal, frequently seen in legitimate contexts like hotel or airport internet access. The deceptive tactic culminates in the execution of ApolloShadow, which attempts to gain administrative rights by mimicking trusted software, and reconfigures network settings to assist lateral movement.

The persistence achieved through these methods allows Secret Blizzard to monitor online activities within embassies continually. Microsoft advises organizations to utilize encrypted connections to trustworthy ISPs to mitigate these risks effectively.

Read next