Digital Event Horizon
Microsoft has uncovered a sophisticated Russian-state hacker group targeting foreign embassies in Moscow with custom malware designed to install a malicious TLS root certificate. The actors' goal is to gain elevated privileges in infected systems, allowing them to maintain persistence for use in intelligence collection.
Microsoft has identified a sophisticated group of hackers known as Secret Blizzard, who have been targeting foreign embassies in Moscow with custom malware. The goal of this campaign is to install a malicious TLS root certificate, tracked as ApolloShadow, to cryptographically impersonate trusted websites. Secret Blizzard is part of the Russian Federal Security Service and has been active since at least 1996 under various names. The group uses an adversary-in-the-middle (AitM) attack, leveraging ISPs in Russia to send targets to malicious websites. Malware tracked as ApolloShadow downloads automatically when users access a captive portal, allowing the actors to gain elevated privileges. The malware configures networks as private and relaxes firewall rules for lateral movement on the network. Microsoft is advising customers in Moscow to tunnel traffic through encrypted tunnels to prevent persistence and intelligence collection.
In a recent development that has sent shockwaves through the cybersecurity community, Microsoft has identified a sophisticated group of hackers known as Secret Blizzard, who have been actively targeting foreign embassies in Moscow with custom malware. According to Microsoft's threat intelligence team, the goal of this campaign is to install a malicious TLS root certificate, tracked as ApolloShadow, which would allow the actors to cryptographically impersonate trusted websites visited by an infected system inside the embassy.
This malicious activity is part of a broader strategy employed by Secret Blizzard, a unit of the Russian Federal Security Service, which has been active since at least 1996. The group has been tracked under various names, including Turla, Venomous Bear, Uroburos, Snake, Blue Python, Wraith, ATG26, and Waterbug. Microsoft's observations have confirmed that Secret Blizzard is among the world's most active and sophisticated state-sponsored hacking groups.
The campaign begins with an adversary-in-the-middle (AitM) attack, which positions the threat actor between a targeted embassy and the end points they connect to. This allows Secret Blizzard to send targets to malicious websites that appear to be known and trusted. The AitM attack leverages the capabilities of ISPs in Russia, which are obligated to work on behalf of the Russian government.
In an effort to induce targets to install custom malware tracked as ApolloShadow, Secret Blizzard employs a sophisticated technique involving captive portals. These portals, widely used in legitimate settings to manage Internet access at hotels and airports, are used by the actors to redirect users to a separate actor-controlled domain that likely displays a certificate validation error. This prompts the target to download and execute ApolloShadow.
Upon execution, ApolloShadow checks for the privilege level of the ProcessToken and if the device is not running on default administrative settings, then the malware displays the user access control (UAC) pop-up window to prompt the user to install certificates with the file name CertificateDB.exe. The malware masquerades as a Kaspersky installer, allowing the actor to gain elevated privileges in the system.
If ApolloShadow already has sufficient system rights, the malware configures all networks the host connects to as private, inducing several changes including allowing the host device to become discoverable and relaxing firewall rules to enable file sharing. The main reason for these modifications is likely to reduce the difficulty of lateral movement on the network.
Microsoft is advising all customers operating in Moscow, particularly sensitive organizations, to tunnel their traffic through encrypted tunnels that connect to a trusted ISP. This measure aims to prevent the threat actors from maintaining persistence and using the infected devices for intelligence collection.
The discovery of this malicious campaign highlights the ongoing efforts of state-sponsored hacking groups to expand their reach and capabilities. As cybersecurity threats continue to evolve, it is essential for organizations to remain vigilant and take proactive measures to protect themselves against such attacks.
Related Information:
https://www.digitaleventhorizon.com/articles/Moscows-Dark-Web-Microsoft-Uncovers-Sophisticated-Russian-State-Hackers-Targeting-Foreign-Embassies-deh.shtml
https://arstechnica.com/information-technology/2025/07/microsoft-catches-russian-hackers-targeting-foreign-embassies/
Published: Thu Jul 31 22:01:05 2025 by llama3.2 3B Q4_K_M
