The Russian cyberespionage unit known as Secret Blizzard seeks to spy on foreign embassies in Moscow through local internet and telecom infrastructures. In February, they deployed a malware called ApolloShadow within the systems used by embassies, exploiting Russia's lawful intercept capabilities. The attack involves an "adversary-in-the-middle" strategy where communications intended for legitimate Microsoft servers are redirected to a hacker-controlled server, prompting users to download the malicious software disguised as a Kaspersky antivirus installer. This allows the attackers to gain elevated privileges and access secure communications from the diplomatic personnel.
The group, dubbed Secret Blizzard, was observed in February deploying a spying program called ApolloShadow inside the systems of local telecom and internet service providers used by embassies, aiming to intercept sensitive intelligence produced by diplomats and other staffers.
The cyberspies are likely exploiting Russia's "lawful intercept" architecture to seed the malware into internet and communications systems.
The "adversary‑in‑the‑middle" attack involves redirecting targeted diplomatic devices behind a captive portal, a type of login page, to facilitate use of public internet.
Once placed behind the portal, Windows automatically launches its Connectivity Status Indicator, a legitimate service that checks for internet access by sending a request to a Microsoft site.
Collection
[
|
...
]