Ethical Hacking News
In a concerning development, Microsoft has warned that Russian hackers are using ISP access to launch sophisticated AiTM attacks on embassies in Moscow, posing a significant threat to diplomatic missions. The attackers, linked to Russia's Federal Security Service (FSB), have been exploiting their adversary-in-the-middle position at the ISP level to infect systems with custom ApolloShadow malware. This is the first time Microsoft has confirmed Secret Blizzard's capability to conduct espionage at the ISP level.
Microsoft has warned about a sophisticated cyber-espionage campaign targeting diplomatic missions in Moscow using ISP access. The attackers, linked to Russia's FSB, are using an adversary-in-the-middle (AiTM) position at the ISP level to launch attacks. The hacking group, tracked as Secret Blizzard or Turla, is infecting systems with custom ApolloShadow malware. APolloShadow installs a trusted root certificate to trick devices into recognizing malicious websites, allowing long-term access for intelligence gathering. The campaign has been ongoing since at least 2024 and targets foreign embassies, diplomatic entities, and sensitive organizations in Moscow. Turla is also suspected behind attacks on various government agencies, research facilities, and other countries since at least 1996. A joint action by Five Eyes cybersecurity and intelligence agencies took down a peer-to-peer network infected with Snake malware. The threat group has been spotted hijacking infrastructure to target Ukrainian military devices via Starlink.
Microsoft has issued a warning about a highly sophisticated cyber-espionage campaign targeting diplomatic missions in Moscow, which uses Internet Service Provider (ISP) access to launch attacks. According to the company's cybersecurity team, the attackers are linked to Russia's Federal Security Service (FSB) and are utilizing an adversary-in-the-middle (AiTM) position at the ISP level.
The hacking group, tracked by Microsoft as Secret Blizzard, also known as Turla, Waterbug, or Venomous Bear, has been observed exploiting its AiTM position to infect the systems of diplomatic missions with custom ApolloShadow malware. To do this, they redirect targets to captive portals and trick them into downloading and executing a malware payload disguised as a Kaspersky antivirus installer.
Once deployed, ApolloShadow installs a trusted root certificate disguised as Kaspersky Anti-Virus, which helps trick compromised devices into recognizing malicious websites as legitimate, allowing threat actors to maintain long-term access for intelligence gathering after infiltrating diplomatic systems. This is the first time Microsoft has confirmed Secret Blizzard's capability to conduct espionage at the ISP level, posing a high risk to foreign embassies, diplomatic entities, and other sensitive organizations operating in Moscow who rely on local internet providers.
The cyber-espionage campaign, which has been ongoing since at least 2024, also takes advantage of Russia's domestic interception systems, including the System for Operative Investigative Activities (SORM), to carry out its large-scale AiTM campaigns. The attackers, known as Turla, have been orchestrating cyber-espionage and information theft campaigns targeting embassies, governments, and research facilities across over 100 countries since at least 1996.
Turla is also the primary suspect behind attacks targeting the U.S. Central Command, NASA, the Pentagon, multiple Eastern European Ministries of Foreign Affairs, the Finnish Foreign Ministry, and EU governments and embassies. The group is known for its unconventional tactics, including controlling malware through comments on Britney Spears' Instagram photos and using backdoor trojans with their own APIs.
In a joint action involving Five Eyes cybersecurity and intelligence agencies, a peer-to-peer (P2P) network of computers infected with Snake cyber-espionage malware was taken down. The threat group has also been spotted hijacking the infrastructure of Pakistani threat actor Storm-0156 to target Ukrainian military devices connected via Starlink.
This latest development highlights the evolving nature of cyber threats and the importance of staying vigilant in the face of emerging risks. As cybersecurity threats continue to evolve, it is essential for organizations to adopt robust security measures and stay informed about the latest developments in the field.
Related Information:
https://www.ethicalhackingnews.com/articles/Russian-Hackers-Utilize-ISP-Access-to-Launch-Sophisticated-AiTM-Attacks-on-Embassies-ehn.shtml
https://www.bleepingcomputer.com/news/security/microsoft-russian-hackers-use-isp-access-to-hack-embassies-in-aitm-attacks/
Published: Thu Jul 31 11:57:46 2025 by llama3.2 3B Q4_K_M
