The Russian state-sponsored hacking group known as Turla is reportedly leveraging its control over the country’s internet service providers (ISPs) to facilitate sophisticated cyberespionage activities. This FSB-affiliated group, also recognized by names like Snake and Secret Blizzard, has developed a new method of infiltrating foreign embassies in Moscow by redirecting web traffic to install spyware.
In a recent report released by Microsoft’s security team, Turla’s use of ISPs allows them to manipulate internet traffic, effectively tricking diplomats into unwittingly downloading malicious software. This software, identified as ApolloShadow, masquerades as a Kaspersky security update. Once installed, it disables the encryption on users’ computers, exposing sensitive data including usernames and passwords to surveillance by the ISPs and other associated state agencies.
Sherrod DeGrippo, Microsoft’s director of threat intelligence strategy, explained that the tactic merges traditional passive surveillance techniques with targeted hacking, blurring the lines between the two. By exploiting web requests made to what is known as "captive portals"—the prompts users encounter in locations like airports and cafes—Turla can present foreign embassy staff with a false error message that urges browser updates. In reality, agreeing to such updates leads to spyware installation.
Turla’s approach not only circumvents detection but does so without exploiting any software vulnerabilities, which makes it particularly challenging to defend against. This method underscores a paradigm shift in espionage strategy, as Turla conceptualizes Russian telecom infrastructure as an integral part of their offensive toolkit.
Microsoft’s report confirmed the utilization of Russia’s SORM system—a surveillance program to intercept communications—as part of Turla’s technique for monitoring embassy communications. While the specifics regarding the targeted embassies remain undisclosed, it is understood that warnings were issued to the identified victims, indicating the serious threat posed by this group.
The revelation highlights a growing concern over the effectiveness of state-sponsored hacking within countries with compromised communications infrastructure. DeGrippo warns that similar techniques could be adopted by other nation-state actors, posing risks to entities operating within these environments. Potential preventative measures include using virtual private networks (VPNs) to encrypt internet traffic and employing multifactor authentication to mitigate the chances of unauthorized access.
