The Russian hacker group Turla, known for their advanced cyberespionage techniques, has been linked to a new spying method that demonstrates their sophisticated approach to cyber operations. This group has made headlines for utilizing unorthodox methods, such as embedding malware communications in satellite connections or commandeering other hackers’ operations to obscure their own data theft. However, when conducting operations within Russia, Turla appears to have adopted a more straightforward yet equally effective tactic: leveraging their influence over the nation’s internet service providers (ISPs) to implant spyware directly onto computers of targeted individuals in Moscow.
A recent report from Microsoft’s security research team has shed light on this insidious tactic, believed to be associated with the Federal Security Service (FSB) of Russia. Identified by multiple names, including Snake and Venomous Bear, Turla is alleged to have manipulated internet traffic to deceive personnel in foreign embassies in Moscow into unwittingly downloading malicious software. This spyware not only enabled the group to capture unencrypted data but also intercepted sensitive information like usernames and passwords, making these communications vulnerable to scrutiny by both the ISPs and state surveillance agencies.
According to Sherrod DeGrippo, Microsoft’s director of threat intelligence strategy, this method represents a significant intersection between focused cyber espionage and the more traditional approaches to mass surveillance employed by governmental bodies. DeGrippo emphasized the blurred lines between passive monitoring of broad data streams and actively infiltrating individual systems, indicating a shift in tactics towards a more intrusive form of surveillance.
For the FSB’s technology-savvy operatives, this breakthrough suggests an expanded arsenal for targeting individuals within Russian territory. It indicates a burgeoning perception of Russia’s telecommunications infrastructure as a key element in their strategic toolkit, thereby augmenting their capabilities against domestic and foreign targets alike.
Microsoft researchers have identified the technique employed by Turla as exploiting certain web requests made by browsers when they detect a “captive portal.” These portals are frequently utilized to control internet access in locations such as airports and cafes, and they may have also been used within specific organizations and governmental facilities. On Windows systems, these portals contact a designated Microsoft site to verify online connectivity. It remains uncertain whether the captive portals used in this operation were legitimate or had been constructed by Turla as part of their infiltration strategy.
By leveraging control over ISPs, Turla was able to redirect their targets to an error message that misled them into believing they had to update their browser’s cryptographic certificates to regain internet access. When users complied, they inadvertently installed malware named ApolloShadow, disguised as a legitimate Kaspersky security update. This malware effectively neutralized browser encryption, stripping cryptographic protection from all web data transmitted by the victims’ devices.
DeGrippo notes that this relatively straightforward manipulation of certificates likely aimed to attain results akin to more complex spyware while remaining less detectable. The implications of this attack method emphasize vulnerabilities faced by organizations, particularly those operating in regions susceptible to state-sponsored cyber activity. As threats evolve, business leaders must remain vigilant and informed to effectively safeguard their enterprises against such sophisticated cyber intrusions.
