Russian Hackers Target Embassies via ISP in AiTM Attacks: Microsoft
▼ Summary
– Microsoft warns that Russian cyber-espionage group Secret Blizzard (Turla) is targeting diplomatic missions in Moscow by exploiting local ISPs to deploy ApolloShadow malware.
– The group uses adversary-in-the-middle (AiTM) tactics, redirecting targets to fake Kaspersky antivirus updates to install malware and a trusted root certificate.
– ApolloShadow enables long-term access by tricking devices into recognizing malicious sites as legitimate, posing high risks to diplomatic entities relying on local ISPs.
– Secret Blizzard leverages Russia’s SORM interception systems and has been active since at least 2024, targeting embassies, governments, and research facilities globally.
– The group is known for unconventional tactics, including hijacking other threat actors’ infrastructure and using social media for malware control.
Russian state-linked hackers have been exploiting local internet providers to infiltrate diplomatic missions in Moscow, deploying sophisticated malware to steal sensitive intelligence. Microsoft has identified the group, tracked as Secret Blizzard, using adversary-in-the-middle (AiTM) attacks at the ISP level to compromise embassy networks.
The hackers redirect victims to fake login portals, tricking them into downloading malicious payloads disguised as Kaspersky antivirus updates. Once installed, the malware, dubbed ApolloShadow, grants long-term access by manipulating devices into trusting fraudulent websites. This allows the attackers to maintain persistence and gather classified data from diplomatic systems.
Microsoft confirmed this marks the first verified instance of Secret Blizzard leveraging ISP-level access for espionage. The campaign, active since at least 2024, primarily threatens foreign embassies and organizations relying on Russian internet services. The hackers exploit Russia’s System for Operative Investigative Activities (SORM), a domestic surveillance framework, to amplify their attacks.
The group, also known as Turla or Venomous Bear, has a decades-long history of targeting high-value entities, including governments, research institutions, and military agencies across 100+ countries. Linked to Russia’s FSB Center 16, they’ve previously used malware like Snake, controlled via unconventional methods such as Instagram comments.
Notably, Turla has hijacked infrastructure from other threat actors, including Iran’s OilRig and Pakistan’s Storm-0156, to obscure their involvement. Recent attacks leveraged compromised systems to target Ukrainian military devices connected via Starlink. Their adaptability and use of third-party tools make them a persistent and elusive threat.
Diplomatic entities in Moscow are urged to enhance security measures, particularly when using local ISPs, as the risk of interception remains critically high. Microsoft continues to monitor the group’s activities, warning of their evolving tactics and global reach.
(Source: Bleeping Computer)
