Russian countries Known as Turla, Hacker Group has carried out some of the most innovative hacking feats in network-wide history, hiding its malware’s communications in satellite connections or hijacking other hackers to cover up their own data extraction. But when they run on their own homes, they proved to try an equally excellent approach, if more straightforward, by: They seem to have used control over Russian Internet service providers to plant it directly on computers targeted by Moscow.
Microsoft’s security research team works on hacker threats A report released today details the secret new spy technology used by Turla, which is believed to be part of the Kremlin FSB intelligence agency. Also known as Snake, Venomous Bear or Microsoft’s own name Secret Blizzard, the group appears to have used its state-approved Russian ISP access to handle internet traffic and deceived victims of foreign embassies operating in Moscow to install the group’s malware on their PCs. The spyware then disables encryption on the machines of these targets to keep the data it transmits on the internet unencrypted, thus leaving their communications and credentials (such as usernames and passwords) completely vulnerable to surveillance by the same ISP, as well as any state surveillance agency they work with.
The technology represents a rare convergence of espionage and government’s older, older, and more passive approaches to mass surveillance, which spy agencies monitor targets through ISPS and Telecoms’ data collection and SIFT, said Sherrod Degrippo, director of threat intelligence strategy at Microsoft. “This blurs the boundary between passive surveillance and actual invasion,” Degrippo said.
For this group of FSB hackers, it also hints that there is a powerful new weapon in their arsenal to target anyone within the Russian border, Degrippo added. “It has the potential to show how they view Russia’s telecom infrastructure as part of the toolkit,” she said.
According to Microsoft researchers, Turla’s technology utilizes some web request browsers that are made when they encounter a “captive portal”, which are most commonly used to reconnaise internet access in settings such as airports, aircraft or cafes, but also within certain companies and government agencies. In Windows, these captive portals can access a certain Microsoft website to check that the user’s computer is actually online. (It is not clear that the captive portal used to attack Turla victims is actually a legal use by the target embassy or Turla in some way imposed on the user on legal use as part of the hacking technology.)
By leveraging its control of ISPs that control certain foreign embassy staff to the Internet, Turla was able to redirect the target so that they saw an error message that prompted them to download an update of the browser’s encryption certificate before accessing the network. When unsuspecting users agreed, they installed the malware that Microsoft called Apolloshadow, which was disguised as a disguise – inexplicably – as Kaspersky security update.
The Apolloshadow malware will then basically disable the browser’s encryption, silently stripping away the encryption protection measures of all web data transmitted and received by the computer. Degrippo said relatively simple certificate tampering may be harder to detect than full-featured spyware, while achieving the same results.
