Cyber Espionage Threat: Secret Blizzard Targets Foreign Embassies
The Russian cyber threat group, known as Secret Blizzard, is reportedly executing a sophisticated cyber espionage operation aimed at foreign embassies in Moscow. This operation employs an adversary-in-the-middle (AitM) attack strategy at the Internet Service Provider (ISP) level, effectively introducing custom malware named ApolloShadow into targeted systems.
The Mechanics of ApolloShadow
According to the Microsoft Threat Intelligence team, ApolloShadow has the unique functionality to install a trusted root certificate. This ability deceives devices into believing they are interacting with legitimate sites under the control of the cyber attackers. Such tactics enable Secret Blizzard to maintain a foothold on diplomatic devices, primarily for the purpose of gathering intelligence. Microsoft’s analysis indicates that this malicious activity has been ongoing since at least 2024, representing a notable security risk for diplomatic personnel relying on local ISPs or telecommunications services within Russia.
Secret Blizzard’s Background and Aliases
Secret Blizzard, once known as Krypton, is linked to the Russian Federal Security Service and is recognized under various names in cybersecurity circles. Some of these include Blue Python, Iron Hunter, Pensive Ursa, Snake, SUMMIT, Uroburos, Turla, Venomous Bear, and Waterbug. This extensive list highlights the group’s adeptness in cyber operations and their persistent threat landscape.
Exploiting Command-and-Control Infrastructure
In December 2024, both Microsoft and Lumen Technologies’ Black Lotus Labs reported that Secret Blizzard has utilized the command-and-control infrastructure of a threat actor based in Pakistan. This strategy complicates the attribution of their attacks, demonstrating the group’s advanced tactics. Additionally, Secret Blizzard has shown a capability to leverage malware from other threat actors to deploy its Kazuar backdoor on devices particularly in Ukraine.
Gaining Initial Access
Initial access to targeted devices is cleverly achieved through redirection to malicious infrastructure, often using a captive portal. This method is designed to execute the ApolloShadow malware with minimal detection. According to Microsoft, once a device is placed behind this captive portal, the Windows Test Connectivity Status Indicator is triggered. This genuine service checks for internet access by sending an HTTP GET request, which should normally redirect to a legitimate URL. However, in this case, it reroutes the system to a compromised domain that prompts users to download and execute the malicious software.
Handling Elevated Privileges
Upon execution, ApolloShadow begins by collecting information about the host system and, if administrative privileges are not set as default, runs a binary named CertificateDB.exe. The malware fetches a second-stage payload, typically an obscure Visual Basic Script. One of its critical functions involves presenting the user with a User Access Control (UAC) pop-up, nudging them to grant it full access to the device.
Modifying Network Settings and Gaining Persistence
If ApolloShadow detects that it is running with necessary elevated privileges, it will exploit these permissions to adjust all network settings to Private and establish an admin user named UpdatusUser with a hard-coded password. These adjustments facilitate persistent access to the compromised machine. By modifying firewall rules and relaxing restrictions for file sharing, the malware potentially eases lateral movement within the network, despite no direct attempts at lateral movement being observed so far.
Installing Malicious Certificates
After securing access, the malware will initiate a deployment process for digital certificates which involves installing two root certificates using the certutil utility. Additionally, it creates a file named “wincert.js,” which allows Mozilla Firefox to recognize and trust these root certificates. This process significantly enhances the malware’s capability to act undetected on the compromised device.
Defensive Strategies Against Secret Blizzard
Given the sophisticated nature of Secret Blizzard’s operations, diplomatic entities operating in Moscow are advised to adopt a principle of least privilege (PoLP). This methodology involves routinely reviewing privileged groups and ensuring all traffic is securely routed through an encrypted tunnel to a trusted network. The use of a reliable virtual private network (VPN) service is also highly encouraged to bolster security measures against these persistent threats.
