ISPs exploited in Secret Blizzard cyberespionage campaign against embassies

Multiple local internet service providers across Russia have been targeted by Russian state-backed advanced persistent threat operation Secret Blizzard, also known as Turla, to compromise foreign embassies in Moscow with the ApolloShadow malware as part of a cyberespionage campaign that has been underway since last year, according to The Record, a news site by cybersecurity firm Recorded Future.

Through the adversary-in-the-middle technique, Secret Blizzard has redirected diplomatic personnel using local ISPs to network access management web pages before subsequent routing to another attacker-controlled domain where the ApolloShadow malware could be downloaded as a spoofed Kaspersky antivirus installer, a report from Microsoft revealed. Aside from reducing firewall restrictions, ApolloShadow also facilitates numerous system changes for lateral network movement. "Russia itself mayreuse or expandthis campaign depending on its intelligence objectives. This campaign is emblematic of howstate-sponsored groups are collapsing the boundary between 'passive surveillance' and 'active intrusion,'" said Microsoft Director of Threat Intelligence Strategy Sherrod DeGrippo.

