- Microsoft discovers cyber-espionage attacks targeting diplomats
- Embassies in Russia are struck by malware
- Threat actors use opposing attacks in the community
The foreign embassies in Moscow are targeted by Russian state hackers, which use personalized malware followed like Apolloshadow, disguised as Kaspersky antivirus software, said new reports.
The attacks have the final objective of installing a TLS root certificate which allows the threat actor to “pretend to be the cryptographic identity” of trustee visited by the infected system inside the embassy, reports Microsoft Threat Intelligence.
“This campaign, which has continued for at least 2024, has a high risk for foreign embassies, diplomatic entities and other sensitive organizations operating in Moscow, in particular for entities that count on local Internet suppliers,” the experts noted.
Secret blizzard
This cyber-spying campaign targeting diplomats and embassies uses what is called an opponent attack in the environment (AitM), which occurs when the pirates intercept and modify the communications between two parties without their knowledge.
These frequently exploit other attack vectors such as emails or social engineering messages to create conditions under which an attacker can intercept and manipulate the communications between the users and the legitimate services they use, then stealing identification information and authenticated access tokens.
The notorious threat actor, Secret Blizzard, has already been observed hacking Ukrainian military technology by stealing points of entry to third parties. The group is one of the threat actors sponsored by the most sophisticated and prolific state in the world.
Microsoft had previously evaluated with “low confidence” that Secret Blizzard leads cyberspionage within Russian borders against its opponents, but the company now confirms that they have the capacity to make them at the level of the Internet Service Supplier (FAI).
This means that diplomats using ISPs or local telecommunications in Russia are “most likely” targets of the Aitm position of Secret Blizzard within these services.
“In our previous blog, we have pointed out that the actor probably uses Russia’s interception systems such as the operating investigation system (SORM), which we assess can be an integral part of the actor’s current AitM activity, to judge by the large -scale nature of these operations,” confirmed Microsoft.
