The Kremlin’s most unique hacking group uses Russian ISPs to plant spyware
Russian Government The hacker group known as Torila has done some of the most innovative hacking masterpieces in the respected cyber history, hiding its malware in satellite joints or hiding hackers to observe its data extraction. However, when they work on their grass, it turns out that they are as significant, if they are more direct, approach: they seem to have used their control over Russian Internet service providers to plant spy directly on their target computers in Moscow.
A Microsoft security research team, focusing on hacking threats today, released a report that uses the details of the new Turla spy technique, which is believed to be part of the FSB Kremlin Information Agency. The group, also known as a snake, a poisonous bear or Microsoft’s name, appears to have used its government penalties to Russian ISPs to intervene with Internet traffic and use victims working in Moscow to install the group’s malicious software on their PCs. That spy then disabled the encryption on the devices of these targets so that the data they transmit via the Internet would leave their communications and credentials, such as usernames and passwords fully supervised by the same ISPs and any government supervisory agency they collaborate with.
Sherrod Degrippo, director of Microsoft’s threat information strategy, says the technique is a rare combination of targeted hacking for espionage and an older and passive approach to governments for mass surveillance, in which spy agencies collect ISP and communications data to regulatory goals. “This boundary disappears between passive oversight and real influence,” says Digpoo.
For this particular group of FSB hackers, DegripPo adds, and it also offers a new powerful weapon in its arsenal to target anyone on the Russian borders. “This potentially shows how they think of Russian telecommunications infrastructure as part of their tool kit,” he says.
According to Microsoft researchers, the TURLA technique exploits special web browsers that are used in settings such as airports, planes or cafes, but also within some government agencies and agencies when exposed to the “captive portal”, Windows. In Windows, those captive ports reach a Microsoft specific website to check that the user’s computer is actually online. (It is not yet clear whether the captive portals were used to hack the victims of Torla, in fact legal persons were typically used by target embassies, or those that Torla somehow imposed on users as part of their hacking technique.)
Torla, using ISPs that connect some foreign embassy employees to the Internet, was able to guide the targets to view an error message that will update their browser encryption certificates before accessing the web. When a suspect agreed, they instead installed a piece of malware that Microsoft calls Apoloshado, hidden as a Kaspersky security update.
This Apoloshado malware essentially deactivates the browser encryption, and silences the encryption protection for all web data that the computer transmits and receives. Degrippo says this relatively simple certificate manipulation was probably harder to detect harder than a comprehensive spy, while achieving the same result.
