Russian government-backed organization Secret Blizzard deploys ISP-attack technique to infect embassies of Moscow with ApolloShadow malware.
In never-before-seen action with techniques of cyber-espionage, FSB-related threat group Secret Blizzard utilized lawful-intercept capabilities within local Internet Service Providers as part of being an adversary-in-the-middle (AiTM) attempts. Using routing of diplomatic devices behind a captive portal, the group rolls out custom ApolloShadow malware of theirs, rolls out rogue root certificates, and gains persistent, high privilege access as part of information gathering.
ISP-Level Adversary-in-the-Middle Attacks
Adversary-in-the-middle aggression usually intercepts traffic or alters traffic within an end-user and the internet. It is that it is being utilized with Russia’s lawful-intercept capability, likely the System for Operative Investigative Activities (SORM), as part of having the ability to conduct AiTM at the ISP level that is impactful. With the act of positioning itself in traffic flow within networks, the actor is able to strip TLS/SSL encryption, gain credentials, and distribute malevolent information without targeting software vulnerabilities.
The ApolloShadow Infection Chain
Captive Portal Redirection
Diplomatic instruments passing through locally related ISPs have traffic routed towards an invalid captive portal once the Windows Test Connectivity Status Indicator (WTCI) check is initiated. The users are instead shown an actor-controlled domain with certificate error and prompting for the download of ApolloShadow instead of being shown the real msftconnecttest.com redirect.
Delivery and Privilege Escalation
When it runs, ApolloShadow verifies its process token. If it is not yet elevated, it fakes being the installer of Kaspersky antivirus software (CertificateDB.exe) and triggers a User Account Control (UAC) dialogue.
- Low-Privilege Path: Presents UAC in an attempt to gain user approval for root certificate installation.
- Elevation Mode: Works immediately on network profiles as well as on firewall settings to set all connections as “Private,” with relaxed discovery and file sharing restrictions for lateral movement.
Root Certificate Installation and Persistence
Malware installs two certificate files in the %TEMP% folder and uses certutil.exe as part of incorporating them into root and enterprise stores, basically supporting clear interception of HTTPS traffic. It provides browser-agnostic coverage with wincert.js being installed into Firefox’s preferences, with enterprise roots turned on. Lastly, it installs a backdoor administrative account (UpdatusUser) with hard-coded password for persistent access.
Implications for Diplomatic Security
- Undetectable Encryption Stripping: Installing trusted certificates on a large scale, ApolloShadow decrypts SSL traffic, pulling credentials, diplomatic cables, and confidential documents.
- User-Assisted Installation: Even trained users can authorize malicious actions mistaking them for antivirus updates.
- Network Hardening Bypass: Modification of network and firewall settings via admin APIs without user alerts.
Actual Situation and Data
Whereas pharmacy chains, banks, and government offices have had supply-chain attacks and credential thefts, ISP-level AiTM technology is what is unexpected. With 74% of respondents listing network-degree interception as the primary spy threat, yet only 41% having implemented real-time ISP monitoring, network protection remains insufficient. According to the World Economic Forum, cyber-espionage activity initiated by states grew 38% year-over-year.
Defense Techniques and Best Practices
- Principle of Least Privilege (PoLP): Limit administrative rights; use Just-In-Time (JIT) elevation to reduce UAC exposure.
- Encrypted Tunnels: Route all traffic via trusted VPNs or encrypted tunnels beyond Russian jurisdiction; consider satellite or foreign-hosted options.
- Certificate Pinning and Monitoring: Pin certificates for key apps; monitor certutil activity and browser configuration changes.
- User Awareness and Training: Educate users about UAC prompts and validate update sources.
- Network Anomaly Detection: Employ IDS/IPS to detect captive portal redirects, DNS manipulation, firewall changes, and suspicious network profile shifts.
