Recent findings from Microsoft Threat Intelligence reveal a concerning trend of cyber espionage targeting foreign embassies in Moscow. The attackers, identified as Russian state hackers, are deploying a sophisticated malware known as ApolloShadow, which masquerades as Kaspersky antivirus software. This tactic is designed to install a TLS root certificate, enabling the hackers to cryptographically impersonate trusted websites accessed by compromised systems within the embassies.
The method employed by these threat actors falls under the category of adversary-in-the-middle (AiTM) attacks. This type of attack allows hackers to intercept and manipulate communications between two parties without their awareness. Often, these operations are facilitated by social engineering tactics, such as deceptive emails or messages, which create opportunities for the attackers to seize credentials and authenticated access tokens.
Among the most notorious of these threat actors is a group known as Secret Blizzard. This group has a history of targeting Ukrainian military technology by exploiting vulnerabilities in third-party systems. Previously assessed with low confidence by Microsoft, the group’s capabilities have now been confirmed to extend to conducting cyber espionage within Russian borders against perceived adversaries. Their operations can now be executed at the Internet Service Provider (ISP) level, significantly broadening their reach.
As a result, diplomats relying on local ISPs or telecommunications services in Russia are now considered highly likely targets for Secret Blizzard’s AiTM activities. Microsoft has indicated that the group likely utilizes Russia’s domestic intercept systems, such as the System for Operative Investigative Activities (SORM), which may play a crucial role in facilitating their extensive operations.
