Microsoft catches Russian hackers targeting foreign embassies

In a significant cybersecurity revelation, Microsoft has reported that Russian state-sponsored hackers have been targeting foreign embassies in Moscow using sophisticated malware. This alarming campaign, which has been ongoing since last year, exploits adversary-in-the-middle (AiTM) attacks that operate at the level of Internet Service Providers (ISPs). The threat group, identified by Microsoft as Secret Blizzard, utilizes Russian ISPs, which are compelled to cooperate with government directives. By positioning themselves between the targeted embassies and the external networks they interact with, these hackers can redirect embassy personnel to malicious websites that mimic legitimate, trusted ones. Microsoft's Threat Intelligence team confirmed that this marks the first instance in which they can assert that Secret Blizzard possesses the capability to conduct cyber-espionage at the ISP level. As a result, diplomatic staff utilizing local ISPs in Russia are at heightened risk of being targeted by these sophisticated cybercriminals. Secret Blizzard is recognized as one of the most active and advanced state-sponsored hacking groups globally, with a history dating back to at least 1996. According to the Cybersecurity and Infrastructure Security Agency, this group operates under the Russian Federal Security Service and is also known by various aliases, including Turla, Venomous Bear, and Waterbug. The primary objective of this malicious campaign is to prompt victims into installing custom malware named ApolloShadow. This malware, once installed, can set up a TLS root certificate that allows Secret Blizzard to impersonate trusted websites accessed by the compromised systems within the embassies. A recent AiTM attack observed in February began by placing victims behind a captive portal, a tactic often used in legitimate environments like hotels and airports to control internet access and require user authentication. As these cyber threats evolve, the implications for international security and diplomatic operations become increasingly concerning.