Microsoft says Russian hackers are planting fake antivirus software in embassy attacks

14 hours ago 14

(Image credit: Shutterstock)

Microsoft uncovers cyber espionage attacks targeting diplomats
Embassies within Russia are being hit with malware
The threat actors are using adversary-in-the-middle attacks

Foreign embassies in Moscow are being targeted by Russian state hackers, who are using custom malware tracked as ApolloShadow, disguised as Kaspersky antivirus software, new reports have claimed.

The attacks have the end goal of installing a TLS root certificate which allows the threat actor to ‘cryptographically impersonate’ trusted websites visited by the infected system inside the embassy, Microsoft Threat Intelligence reports.

“This campaign, which has been ongoing since at least 2024, poses a high risk to foreign embassies, diplomatic entities, and other sensitive organizations operating in Moscow, particularly to those entities who rely on local internet providers," the experts noted.

Secret Blizzard

This cyber espionage campaign targeting diplomats and embassies uses what's known as an adversary-in-the-middle (AiTM) attack, which occurs when hackers intercept and alter communications between two parties without their knowledge.

These frequently leverage other attack vectors like social engineering emails or messages to create conditions in which an attacker can intercept and manipulate the communications between users and the legitimate services they use, then stealing credentials and authenticated access tokens.

The notorious threat actor, Secret Blizzard, has previously been observed hacking Ukrainian military tech by stealing points of entry from third-parties. The group is one of the most sophisticated and most prolific state-sponsored threat actors in the world.

Microsoft previously assessed with ‘low confidence’ that Secret Blizzard was conducting cyberespionage within Russian borders against its adversaries, but the company now confirms that they have the capability to carry these out on the Internet Service Provider (ISP) level.

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

This means diplomats using local ISP or telecommunications within Russia are ‘highly likely’ targets of Secret Blizzard’s AiTM position within those services.

“In our previous blog, we reported the actor likely leverages Russia’s domestic intercept systems such as the System for Operative Investigative Activities (SORM), which we assess may be integral in facilitating the actor’s current AiTM activity, judging from the large-scale nature of these operations,” Microsoft confirmed.

Take a look at our picks for the best firewall software around
Check out our choice for best endpoint protection software to keep you safe
US government wants to ban Chinese technology in submarine cables

Ellen has been writing for almost four years, with a focus on post-COVID policy whilst studying for BA Politics and International Relations at the University of Cardiff, followed by an MA in Political Communication. Before joining TechRadar Pro as a Junior Writer, she worked for Future Publishing’s MVC content team, working with merchants and retailers to upload content.

Read Entire Article