- Microsoft uncovers cyber espionage attacks targeting diplomats
- Embassies within Russia are being hit with malware
- The threat actors are using adversary-in-the-middle attacks
Foreign embassies in Moscow are being targeted by Russian state hackers, who are using custom malware tracked as ApolloShadow, disguised as Kaspersky antivirus software, new reports have claimed.
The attacks have the end goal of installing a TLS root certificate which allows the threat actor to ‘cryptographically impersonate’ trusted websites visited by the infected system inside the embassy, Microsoft Threat Intelligence reports.
“This campaign, which has been ongoing since at least 2024, poses a high risk to foreign embassies, diplomatic entities, and other sensitive organizations operating in Moscow, particularly to those entities who rely on local internet providers,” the experts noted.
Secret Blizzard
This cyber espionage campaign targeting diplomats and embassies uses what’s known as an adversary-in-the-middle (AiTM) attack, which occurs when hackers intercept and alter communications between two parties without their knowledge.
These frequently leverage other attack vectors like social engineering emails or messages to create conditions in which an attacker can intercept and manipulate the communications between users and the legitimate services they use, then stealing credentials and authenticated access tokens.
The notorious threat actor, Secret Blizzard, has previously been observed hacking Ukrainian military tech by stealing points of entry from third-parties. The group is one of the most sophisticated and most prolific state-sponsored threat actors in the world.
Microsoft previously assessed with ‘low confidence’ that Secret Blizzard was conducting cyberespionage within Russian borders against its adversaries, but the company now confirms that they have the capability to carry these out on the Internet Service Provider (ISP) level.
This means diplomats using local ISP or telecommunications within Russia are ‘highly likely’ targets of Secret Blizzard’s AiTM position within those services.
“In our previous blog, we reported the actor likely leverages Russia’s domestic intercept systems such as the System for Operative Investigative Activities (SORM), which we assess may be integral in facilitating the actor’s current AiTM activity, judging from the large-scale nature of these operations,” Microsoft confirmed.
You might also like
- Take a look at our picks for the best firewall software around
- Check out our choice for best endpoint protection software to keep you safe
- US government wants to ban Chinese technology in submarine cables