The Russian state-sponsored hacker group, known as Secret Blizzard, has been identified as conducting a sophisticated cyber espionage campaign targeting foreign embassies in Moscow. This nefarious operation utilizes adversary-in-the-middle (AitM) tactics at the Internet Service Provider (ISP) level and deploys a custom malware named ApolloShadow.
According to the Microsoft Threat Intelligence team, ApolloShadow is capable of installing a trusted root certificate, thereby deceiving devices into trusting fraudulent websites controlled by the attackers. This allows Secret Blizzard to maintain persistent access to diplomatic devices with the intent of gathering intelligence. The campaign is believed to have been active since 2024 and represents a significant security threat to diplomatic personnel reliant on local ISPs or telecommunications services while in Russia.
Secret Blizzard, previously known as Krypton, is linked to the Russian Federal Security Service. They have also been tracked under various aliases in the cybersecurity community, including Blue Python, Iron Hunter, and Waterbug.
In December 2024, Microsoft and Lumen Technologies’ Black Lotus Labs uncovered that this group had been misusing a threat actor’s command-and-control infrastructure based in Pakistan to facilitate its own cyberattacks, a tactic aimed at obscuring attribution. The group has also leveraged malware linked to other actors to deliver its Kazuar backdoor to devices in Ukraine.
Microsoft highlights that the AitM position is likely enabled through lawful interception practices, including the installation of root certificates masquerading as Kaspersky antivirus, allowing the attackers elevated access to systems.
The initial access to targets is achieved by directing devices to hacker-controlled infrastructure through a captive portal, which subsequently prompts the download and execution of ApolloShadow. Once behind the captive portal, the legitimate Windows service, Test Connectivity Status Indicator, is triggered, inadvertently initiating the malicious process.
The malware subsequently sends information about the host to its command-and-control server and executes a file named CertificateDB.exe, which aids in retrieving a second-stage payload, an unknown Visual Basic Script. The ApolloShadow malware then seeks elevated privileges by displaying a user access control pop-up to the user.
If the malware’s execution is already running with sufficient privileges, it employs those privileges to alter network settings to private, modify registry profiles, and create an administrative user for persistent access. The changes allow for easier lateral movement across networks, although direct attempts to move laterally were not observed in this instance.
The malware also installs root certificates on the target systems through the use of the certutil utility, facilitating cybercriminal access. Furthermore, a script is dropped to enable Mozilla Firefox to trust the newly installed root certificates.
To counter activities from Secret Blizzard, diplomatic entities in Moscow are advised to enforce strict security practices, including implementing the principle of least privilege, regularly reviewing privileged group memberships, and routing all traffic through encrypted channels or VPNs.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.