Russian hackers were caught relying on adversary-in-the-middle (AitM) attacks to deploy malware on devices pertaining to diplomatic personnel in Moscow, Microsoft reports.
The attacks have been ongoing since at least 2024 and involved the deployment of a custom malware family dubbed ApolloShadow, associated with the Russian state-sponsored APT Secret Blizzard.
Active since at least 2006, the threat actor is also tracked as Krypton, Snake, Turla, Uroburos, Venomous Bear, and Waterbug, and is known for conducting cyberespionage operations on behalf of Russia’s FSB security agency.
“While we previously assessed with low confidence that the actor conducts cyberespionage activities within Russian borders against foreign and domestic entities, this is the first time we can confirm that they have the capability to do so at the Internet Service Provider (ISP) level,” Microsoft notes.
Secret Blizzard was previously seen using Russia’s domestic intercept systems, including the System for Operative Investigative Activities (SORM), which likely allowed it to establish the AitM position within ISPs and leverage it for large-scale malware deployment, the tech giant explains.
As part of the recent campaign, aimed at foreign embassies in Moscow, the threat actor redirected target devices behind a captive portal – a legitimate page for managing network access – where a network connectivity test was initiated by the system.
The victim’s browser was then redirected to an actor-controlled domain displaying a certificate error, prompting the execution of ApolloShadow and the installation of a fake Kaspersky root certificate that provides the attackers with elevated privileges on the device.
If the malware runs with low privileges, it attempts to bypass User Access Control (UAC) and trick the user into granting it the highest privileges available. If executed with elevated privileges, it modifies settings to make all networks private, to make the device discoverable, and to enable file sharing.
ApolloShadow relies on the Windows certutil utility to install its two root certificates, deletes all temporary files, adds a preference file to Firefox to ensure it trusts the certificates, and then creates an administrative user account named ‘UpdatusUser’, with a hardcoded password that never expires.
According to Microsoft, all diplomatic personnel in Russia using local ISP or telecoms services are likely targeted by the Secret Blizzard campaign. Thus, all customers, especially organizations operating in Moscow, should route traffic through an encrypted tunnel or use a trusted VPN service.
Applying the principles of least privilege, implementing MFA, auditing privileged account activity and regularly reviewing admin accounts, ensuring that proper cybersecurity protections are enabled, and blocking the execution of scripts and executable files should mitigate the risk of infection.
Related: Russian Government Hackers Caught Buying Passwords from Cybercriminals
Related: Cyberattack On Russian Airline Aeroflot Causes the Cancellation of More Than 100 Flights
Related: Spy v Spy: Russian APT Turla Caught Stealing From Pakistani APT
Related: Russia Pushes Law to Force Taxi Apps to Share Data With Spy Agency
