A Russian cyberespionage group is using local internet service providers (ISP) and imitating Kaspersky to plant spyware on foreign embassy devices in Moscow, Microsoft Threat Intelligence found.
The Secret Blizzard group, also tracked as Turla and linked to the FSB, has been operating for at least eight years, but began using its access to Russian ISPs and telecommunication networks to deploy its intelligence-collecting ApolloShadow malware in 2024.
Microsoft researchers said: “The Secret Blizzard adversary in the middle (AiTM) position is likely facilitated by lawful intercept and notably includes the installation of root certificates under the guise of Kaspersky Anti-Virus.”
The tactic is an escalation of previous techniques used by Secret Blizzard to spy on foreign ministries in Eastern Europe through a “trojanized Flash installer” and its other AiTM operations hijacking third-party actors' infrastructure.
How does it work?
Secret Blizzard’s latest operation intercepts targets at the ISP or Telco level to redirect devices behind a captive portal and trigger a legitimate connectivity test also redirected to a fake “certificate validation error” page where the user is prompted to download ApolloShadow.
Following its download, the malware ascertains the privilege level of the infected system and will prompt non-admin users to download a fake Kaspersky installer to install root certificates and elevate the actor’s privileges.
Interestingly, researchers found no evidence of lateral movement once the group gained privileged access, but ApolloShadow does alter the host by setting all its networks to Private, thereby relaxing firewall restrictions on file sharing, something Microsoft said is "likely to reduce the difficulty of lateral movement".
Installation of ApolloShadow also allows the TLS/SSL stripping, enablign SecretBlizzard to see a device's browsing activity, including specific tokens and credentials, in clear text.
Another reminder of Russian cyber-power
The threat researchers advised sensitive organisations working in Moscow, and all customers, to use an independent or satellite-based VPN or route all traffic through an encrypted tunnel to a trusted network.
While Russia has a long history of cyberespionage, and Microsoft did not name the embassies involved, the country has faced renewed pressure from the US and its allies recently over its continued war in Ukraine.
In March 2025, the UK also accused Russia of attempting to push its Moscow embassy to close after it expelled a British diplomat and their spouse from the country.
The Microsoft advisory also comes two months after reports internet users in Russia were being throttled by their ISPs when connecting to Cloudflare-protected web services, further highlighting the government's control of the sector.
Sign up for The Stack
Interviews, insight, intelligence, and exclusive events for digital leaders.
No spam. Unsubscribe anytime.
The link has been copied!
