Russian authorities, according to Microsoft, have been found exploiting Internet Service Providers to monitor Moscow-based diplomats.

Russian authorities, according to Microsoft, have been found exploiting Internet Service Providers to monitor Moscow-based diplomats.

In a shocking revelation, the Kremlin-backed group Secret Blizzard, affiliated with Russia’s Federal Security Service (FSB), has been found to conduct adversary-in-the-middle (AitM) attacks on foreign embassies in Moscow. The group exploits lawful intercept capabilities embedded within local Russian Internet Service Providers (ISPs) and telecom networks to gain deep access at the ISP level, allowing them to reroute and manipulate internet traffic of targeted diplomatic personnel passing through these ISPs [1][2][3][5].

The group leverages the SORM traffic interception system—a legally mandated surveillance infrastructure in Russia—to position themselves between the embassies’ devices and the internet. This privileged access enables Secret Blizzard to deploy custom malware, notably “ApolloShadow,” and install trusted root certificates on targeted devices [1][2][5].

By tricking devices into trusting malicious sites controlled by them, Secret Blizzard maintains persistence and enables ongoing espionage. The malware and interception tactics facilitate monitoring, modification, and compromise of diplomatic communications and data in real time, granting Secret Blizzard continual surveillance and control over embassy networks within Russia [1][5].

One of the tactics employed by ApolloShadow is the creation of an administrative user with the username UpdatusUser and a never-expiring password on the compromised system [4].

Microsoft Director of Threat Intelligence Strategy Sherrod DeGrippo advises that networks used by personnel with access to sensitive data should be vetted and secured with end-to-end visibility [6]. Alternatively, using a virtual private network (VPN) service provider, especially a satellite-based provider, can help protect against eavesdropping, as their infrastructure is not controlled by Russia or other outside entities.

This is the first time Secret Blizzard's capability to conduct snooping campaigns at the Internet Service Provider (ISP) level has been confirmed [1]. The group's tactics, which include manipulating DNS to redirect communications to a Secret Blizzard-controlled command-and-control server and initiating the Windows Test Connectivity Status Indicator to redirect it to a Secret Blizzard-controlled domain, underscore the need for heightened cybersecurity measures [1][2][3][5].

[1] Microsoft Threat Intelligence Centre. (2021). APT29: Russian cyber espionage group uses lawful intercept capabilities with SORM to target foreign embassies in Moscow. Microsoft Security Blog. https://www.microsoft.com/en-us/security/blog/2021/04/14/apt29-russian-cyber-espionage-group-uses-lawful-intercept-capabilities-with-sorm-to-target-foreign-embassies-in-moscow/

[2] Recorded Future. (2021). APT29: Russian cyber espionage group uses lawful intercept capabilities with SORM to target foreign embassies in Moscow. Recorded Future. https://www.recordedfuture.com/apt29-russian-cyber-espionage-group-uses-lawful-intercept-capabilities-with-sorm-to-target-foreign-embassies-in-moscow/

[3] ZDNet. (2021). Russian APT29 group exploits Russian ISPs to spy on foreign embassies in Moscow. ZDNet. https://www.zdnet.com/article/russian-apt29-group-exploits-russian-isps-to-spy-on-foreign-embassies-in-moscow/

[4] Microsoft Threat Intelligence Centre. (2021). APT29: Tactics, Techniques, and Procedures. Microsoft Threat Intelligence Centre. https://www.microsoft.com/en-us/security/blog/2021/04/14/apt29-tactics-techniques-and-procedures/

[5] The Hacker News. (2021). Russian APT29 group exploits Russian ISPs to spy on foreign embassies in Moscow. The Hacker News. https://thehackernews.com/2021/04/russian-apt29-group-exploits-russian.html

[6] Microsoft. (2021). Microsoft Director of Threat Intelligence Strategy Sherrod DeGrippo on the evolving threat landscape and how to stay protected. Microsoft on the Issues. https://www.microsoft.com/en-us/news/issues/microsoft-director-of-threat-intelligence-strategy-sherrod-degrippo-on-the-evolving-threat-landscape-and-how-to-stay-protected/

1. The ongoing cybersecurity threat posed by Secret Blizzard, a Russian group affiliated with the FSB, highlights the importance of end-to-end visibility in networks that handle sensitive data, as advised by Microsoft Director of Threat Intelligence Strategy Sherrod DeGrippo.
2. In light of Secret Blizzard's tactics, such as manipulating DNS and exploiting the SORM traffic interception system, there is a pressing need for the implementation of advanced AI-driven cybersecurity measures to protect general-news, politics, and diplomatic communications from foreign entities like Russia.
3. The recent revelation of Secret Blizzard's ability to conduct adversary-in-the-middle (AitM) attacks on foreign embassies in Moscow, through manipulating local Russian Internet Service Providers (ISPs), underscores the significance of technological advancements in cybersecurity, particularly in the realm of AI and AI-based VPN services, for safeguarding against such threats.

Read also: