Russian-state hackers are targeting foreign embassies in Moscow with custom malware that gets installed using adversary-in-the-middle attacks that operate at the ISP level, Microsoft warned Thursday.
The campaign has been ongoing since last year. It leverages ISPs in that country, which are obligated to work on behalf of the Russian government. With the ability to control the ISP network, the threat group—which Microsoft tracks under the name Secret Blizzard—positions itself between a targeted embassy and the end points they connect to, a form of attack known as an adversary in the middle, or AitM. The position allows Secret Blizzard to send targets to malicious websites that appear to be known and trusted.
Objective: Install ApolloShadow
“While we previously assessed with low confidence that the actor conducts cyberespionage activities within Russian borders against foreign and domestic entities, this is the first time we can confirm that they have the capability to do so at the Internet Service Provider (ISP) level,” members of the Microsoft Threat Intelligence team wrote. “This means that diplomatic personnel using local ISP or telecommunications services in Russia are highly likely targets of Secret Blizzard’s AiTM position within those services.”
