Russian ISPs Used by Kremlin’s Elite Hackers for Spyware Installation: A Potential Cybersecurity Threat Unveiled

In an extensive report published by Microsoft’s security research team, the state-sponsored hacking group known as Turla, believed to be affiliated with Russia’s Federal Security Service (FSB), has been implicated in a sophisticated cyberespionage tactic. Known alternatively as Snake, Venomous Bear, and Secret Blizzard, this group is alleged to have leveraged their state-sanctioned access to Russian Internet Service Providers (ISPs) to manipulate internet traffic and deceive foreign embassy personnel in Moscow into unwittingly installing malicious software on their computers.

The spyware deployed by Turla reportedly disabled the encryption on targeted devices, making all data transmitted across the internet unencrypted and leaving communications vulnerable to surveillance by these same ISPs, as well as any cooperating state surveillance agencies. Sherrod DeGrippo, Microsoft’s Director of Threat Intelligence Strategy, has described this technique as a unique fusion of targeted espionage hacking and governments’ historical approach to mass surveillance, whereby spy agencies collect and analyze data from ISPs and telecommunications companies for surveillance purposes.

DeGrippo notes that this tactic indicates a potentially powerful new asset in Turla’s repertoire for targeting individuals within Russia’s borders, suggesting that the group views Russia-based telecom infrastructure as an integral part of their operational toolkit.

According to Microsoft’s researchers, Turla exploited a specific web request made by browsers when they encounter captive portals – gatekeepers commonly used in settings such as airports, aircraft, and cafés, but also within certain companies and government agencies. In the Windows operating system, captive portals send requests to a specific Microsoft website to confirm that the user’s computer is online. (It remains unclear whether the captive portals employed against Turla’s victims were legitimate ones used by the target embassies or if they were imposed on users as part of Turla’s hacking technique.)

By exploiting their control over the ISPs connecting certain foreign embassy staff to the internet, Turla redirected targets to view an error message prompting them to download an update to their browser’s cryptographic certificates before accessing the web. Upon agreeing to the update, victims inadvertently installed a piece of malware Microsoft refers to as ApolloShadow, disguised as a security update from Kaspersky.

Once installed, ApolloShadow effectively disabled the browser’s encryption, silently dismantling cryptographic protections for all web data transmitted and received by the affected computer. This relatively straightforward certificate tampering was designed to be less detectable than a fully-fledged piece of spyware, DeGrippo explains, while achieving the same objective.