Kremlin’s most rogue hacking group uses Russian ISPs to plant spyware

Russian state Hacker Group, known as Turla, has carried out some of the most innovative hacking feats in Cyber Epion’s history. Hides malware communications to satellite connections or Hijack other hacker operations to obscure your own data extraction. However, when they were operating on their grass at home, it turns out they tried something that was equally noteworthy, simpler approach. It appears they used controls from Russian Internet service providers to plant spyware directly on targeted computers in Moscow.

Today, focusing on hacking threats, Microsoft’s security research team published a report detailing the insidious new spying techniques used by Turla, considered part of the Kremlin’s FSB intelligence agency. The group, also known as the Snake, the toxic bear, or the secret snowstorm, the name of Microsoft itself, appears to have used the trick victims to interfere with internet traffic and use the trick victims to install trick victims on their PCs, working at foreign embassies working in Moscow, using state-authorized access to Russian ISPs. That spyware disables encryption on those target machines, leaving data transmitted over the Internet unencrypted, making communications and entitlements, such as usernames and passwords, completely vulnerable to surveillance by those same ISPs, as well as cooperating state watchdogs.

Sherrod Degrippo, director of Threat Intelligence Strategy at Microsoft, says the technique represents an unusual blend of target hacking against more passive mass surveillance by spy agencies, where ISPs and telecom data are collected and sifted into Surieil’s targets. “This blurs the boundaries between passive surveillance and actual intrusion,” Degrippo says.

DeGrippo suggests a powerful new weapon in this particular group of FSB hackers to target people within Russian borders. “It shows potentially how they view Russia-based telecom infrastructure as part of their toolkit,” she says.

According to Microsoft researchers, Turla’s techniques utilize specific web requests that a particular web request browser creates when encountering a “Captive Portal,” which most commonly uses Internet access in airports, planes, cafes, and other settings. On Windows, these captive portals reach out to a specific Microsoft website to ensure that your computer is actually online. (It is not clear whether the prisoner-of-war portal used to hack Turla’s victims was actually justified as routinely used by the target embassy, or whether Turla somehow imposed on users as part of the hacking technique.)

By leveraging the control of an ISP that connects staff from a particular foreign embassy to the internet, Turla was able to redirect the target and display an error message urging him to download the browser’s encryption certificate update before accessing the web. When an unsuspecting user agreed, instead installed malware that Microsoft called Apolloshadow.

The Apolloshadow malware then essentially disables browser encryption and quietly removes encryption protection for all web data sent and received by your computer. DeGrippo said that relatively simple certificate tampering was likely intended to be more difficult to detect than full-featured spyware, while achieving the same results.