Malware

Microsoft says cyber-espionage campaign ‘poses high risk’ to foreign embassies, diplomats and other groups in Moscow.

Microsoft has accused one of the Russian government’s premier cyber-espionage units of deploying malware against embassies and diplomatic organisations in Moscow by leveraging local internet service providers.

In a blog post on Thursday, Microsoft Threat Intelligence said the campaign by Russia’s Federal Security Service, also known as the FSB, “has been ongoing since at least 2024”.

The effort “poses a high risk to foreign embassies, diplomatic entities, and other sensitive organizations operating in Moscow, particularly to those entities who rely on local internet providers”, Microsoft said.

The analysis confirms for the first time that the FSB is conducting cyber-espionage at the ISP level, according to Microsoft’s findings.

“This means that diplomatic personnel using local ISP or telecommunications services in Russia are highly likely targets of [the campaign] within those services,” the blog post reads.

Microsoft tracked an alleged FSB cyber-espionage campaign that in February targeted unnamed foreign embassies in Moscow.

The FSB activity facilitates the installation of custom backdoors on targeted computers, which can be used to install additional malware, as well as steal data, Microsoft said.

The findings come amid increasing pressure from Washington for Moscow to agree to a ceasefire in its war in Ukraine and pledges from NATO countries to increase defence spending surrounding their own concerns about Russia.

Microsoft did not say which embassies were targeted by the FSB campaign.

The US Department of State, as well as Russian diplomats, did not respond to requests for comment from the Reuters news agency.

Russia has denied carrying out cyber-espionage operations. There was no immediate comment from Moscow on Microsoft’s report on Thursday.

The hacking unit linked to the activity, which Microsoft tracks as “Secret Blizzard” and others categorise as “Turla”, has been hacking governments, journalists and others for nearly 20 years, the US government said in May 2023.

May 21 (UPI) — Microsoft, the Department of Justice and others have thwarted the use of the Lumma Stealer malware that globally has infected nearly 400,000 computers.

The tech giant’s Digital Crimes Unit seized and helped take down, suspend and block about 2,300 “malicious domains” that were the backbone of Lumma’s infrastructure, said Steven Masada, assistant general counsel for Microsoft’s DCU.

Microsoft on May 13 filed a federal lawsuit against Lumma Stealer in the U.S. District Court for Northern Georgia, itnews reported.

Microsoft says Lumma Stealer is a “malware as a service” that can steal data from browsers, cryptocurrency wallets and other applications by installing malware.

The tech firm from March 15 through Friday identified more than 394,000 Windows computers around the world that were infected with the Lumma malware.

The Department of Justice on Wednesday unsealed two warrants authorizing the seizure of five Internet domains used by cybercriminals to operate the Lumma malware service, which also is called “LummaC2.”

The Lumma malware “is deployed to steal sensitive information, such as user login credentials from millions of victims in order to facilitate a host of crimes,” said Matthew Galeotti, leader of the DOJ’s Criminal Division, in a news release.

Those crimes include fraudulent bank transfers and cryptocurrency theft, Galeotti said.

“The Justice Department is resolved to use court-ordered disruptions like this one to protect the public from the theft of their personal information and their assets,” he added.

The DOJ’s affidavit seeking the two seizure warrants accuses the administrators of LummaC2 of using the seized websites to distribute the malware to their affiliates and other cyber criminals.

Browser data, autofill info, login credentials for email and banking services, and cryptocurrency seed phrases that open crypto wallets were common targets affected by the malware, according to the DOJ.

FBI investigators also identified at least 1.7 million instances in which the malware enabled cybercriminals to steal such information.

The DOJ on Monday seized two online domains used to distribute the malware, which caused the Lumma operators to direct users to three new domains on Tuesday.

The DOJ seized the three new domains on Wednesday.

Europol’s European Cybercrime Center and Japan’s Cybercrime Control Center enabled the takedown of Lumma infrastructure within their respective jurisdictions, Microsoft officials said.