Ethical Hacking News
Microsoft has discovered a highly sophisticated state-sponsored hacking operation targeting foreign embassies in Moscow with custom malware that uses an adversary-in-the-middle attack to gain access to sensitive systems. The operation is believed to be conducted by the Russian government-backed group Secret Blizzard.
MICROSOFT DISCOVERS SOPHISTICATED HACKING OPERATION: Secret Blizzard targets foreign embassies in Moscow with custom malware.CUSTOM MALWARE USED IN AITM ATTACK: Hackers position themselves between target and internet to send to malicious websites that appear trusted.GOAL OF CAMPAIGN: INDUCE TARGETS TO INSTALL APOLLOSHERD MALWARE, ENABLING IMPERSONATION OF TRUSTED SITES.MALWARE configuration allows for lateral movement on network and reduces difficulty in intelligence collection.
Microsoft has recently uncovered a highly sophisticated and state-sponsored hacking operation conducted by a group known as Secret Blizzard, which has been targeting foreign embassies in Moscow with custom malware. According to Microsoft's threat intelligence team, the campaign has been ongoing since last year and leverages Internet Service Providers (ISPs) in Russia, which are obligated to work on behalf of the Russian government.
The hackers use a technique known as an adversary-in-the-middle (AitM) attack, positioning themselves between the targeted embassy and the end points they connect to. This allows them to send targets to malicious websites that appear to be known and trusted. The goal of this campaign is to induce targets to install custom malware tracked as ApolloShadow, which in turn installs a TLS root certificate that enables Secret Blizzard to cryptographically impersonate trusted websites visited by an infected system inside the embassy.
The attackers begin their operation by putting the target behind a captive portal, widely used in legitimate settings to manage Internet access at hotels and airports. Once the target is behind the captive portal, they are redirected to a separate actor-controlled domain that displays a certificate validation error, prompting the user to download and execute ApolloShadow. Following execution, the malware checks for the privilege level of the ProcessToken and if the device is not running on default administrative settings, it presents a User Access Control (UAC) pop-up window seeking to elevate its system access.
The malware uses a sophisticated process that spoofs a page at hxxp://timestamp.digicert.com/registered, which sends the system a second-stage payload in the form of a VBScript. Once decoded, ApolloShadow relaunches itself and presents the user with another UAC window seeking to elevate its system access. If the malware already has sufficient system rights, it configures all networks the host connects to as private.
The main reason for these modifications is likely to reduce the difficulty of lateral movement on the network. The ability to cause infected devices to trust malicious sites allows the threat actor to maintain persistence, which is likely used in intelligence collection. Microsoft has advised all customers operating in Moscow, particularly sensitive organizations, to tunnel their traffic through encrypted tunnels that connect to a trusted ISP.
The group Secret Blizzard is among the world's most active and sophisticated state-sponsored hacking groups, with a history dating back to at least 1996. It is also tracked under other names including Turla Venomous Bear, Uroburos, Snake, Blue Python, Wraith, ATG26, and Waterbug.
Related Information:
https://www.ethicalhackingnews.com/articles/Microsoft-Discovers-Sophisticated-Russian-State-Sponsored-Hacking-Operation-Targeting-Foreign-Embassies-ehn.shtml
https://arstechnica.com/information-technology/2025/07/microsoft-catches-russian-hackers-targeting-foreign-embassies/
Published: Thu Jul 31 17:48:59 2025 by llama3.2 3B Q4_K_M
