Microsoft Unveils Russian Hackers Targeting Embassies

Microsoft has identified an ongoing cyber campaign by Russian-state hackers targeting foreign embassies in Moscow. These hackers employ sophisticated adversary-in-the-middle attacks, executing them at the ISP level to install custom malware.

The campaign leverages local ISPs, who must comply with governmental requests, to place themselves strategically between embassies and their connections. This intermediary position allows the hackers, known as Secret Blizzard, to redirect embassy staff to malicious websites resembling trusted ones.

Objectives of the Russian Hackers

The hackers aim to deploy "ApolloShadow," a malware that installs a TLS root certificate, enabling impersonation of trusted sites. The hackers are also adept at using captive portals within legitimate settings, such as hotels and airports, to isolate embassy staff's devices.

Once access is established, the hackers tempt users to download ApolloShadow through a certificate validation error message. This malware then checks SystemToken privileges, turning to deceptive means when necessary to escalate privileges and install the root certificate.

If the malware has adequate rights, it reconfigures network settings to ease lateral movement across networks, creating a more substantial risk vector for file sharing and firewall vulnerabilities.

Safeguarding Against the Threat

Microsoft advises embassies and sensitive organizations in Moscow to safeguard their networks by routing traffic through encrypted tunnels linked to trusted ISPs. This preemptive measure aims to mitigate risks and secure sensitive communications effectively.

Secret Blizzard remains one of the most formidable state-sponsored hacking groups, consistently adapting its strategies to exploit vulnerabilities at the ISP levels.