Russian Hackers Target Foreign Embassies with Sophisticated Malware

Microsoft has raised a red flag on Russian-state hackers, who have been zeroing in on foreign embassies stationed in Moscow. These actors employ tailor-made malware installed through clever adversary-in-the-middle attacks, manipulating Internet Service Providers (ISPs) to achieve their ends.

This cyber campaign, ongoing since last year, exploits ISPs that must operate under Russian governmental directives. By hijacking control of the ISP network, the hacker group—referred to by Microsoft as Secret Blizzard—positions itself strategically between targeted embassies and the systems they connect with. This enables them to lead unsuspecting embassy systems to malicious sites disguised as trusted connections.

Mission to Deploy ApolloShadow

In its breakthrough analysis, Microsoft's Threat Intelligence unit disclosed the group's stronghold at the ISP front, shedding light on its capacity to orchestrate attacks beyond Russian confines. Diplomatic personnel within Russia are at an amplified risk of getting ensnared by Secret Blizzard’s tactics.

Boasting a history of cyber-espionage since 1996, Secret Blizzard operates under aliases like Turla Venomous Bear and Snake, with ties to the Russian Federal Security Service. Their current objective is to trick embassy systems into downloading a specialized malware known as ApolloShadow. This malware is designed to manipulate trust, allowing Secret Blizzard to impersonate credible websites via a rogue TLS root certificate.

The intricate operation involves placing targets behind captive portals—a commonplace mechanism at airports and hotels—and redirecting them from legitimate sites to those under hacker control. These portals trigger connectivity checks that ultimately coax systems into downloading ApolloShadow under the guise of security software.

The malware employs advanced methods, such as simulating pages that push unsuspecting systems toward secondary infections with additional payloads, ultimately elevating its operational privileges.

In scenarios where ApolloShadow gains adequate permissions, it alters network settings to facilitate data breaches by making devices discoverable and bypassing protective firewalls.

Microsoft stresses that infected systems become gateway vessels for ongoing intelligence collection, necessitating urgent measures for sensitive entities in Moscow to safeguard their communications through encrypted channels connected to trusted ISPs.