This post is also available in:
עברית (Hebrew)
Foreign diplomatic missions and sensitive organizations operating in Moscow are being targeted by state-sponsored cyber actors using advanced surveillance techniques at the internet service provider (ISP) level. According to a new report from Microsoft’s Threat Intelligence team, the group responsible—known as Secret Blizzard—is closely linked to Russia’s Federal Security Service (FSB), specifically Center 16.
The attackers are conducting adversary-in-the-middle (AiTM) operations by leveraging privileged ISP-level access. This allows them to intercept and manipulate internet traffic without alerting the target. Victims, primarily foreign embassies and similar institutions, are unknowingly redirected to attacker-controlled infrastructure.
At the core of the campaign is the deployment of a malware strain called ApolloShadow, which is used to install rogue root certificates. These certificates trick devices into trusting fake websites, effectively enabling the attackers to break encrypted connections such as TLS/SSL. Once in place, almost any data—including passwords and authentication tokens—can be accessed in plain text.
The method of infection involves redirecting users to a fake captive portal when they attempt to go online. Instead of reaching a legitimate network test page, the user is served a counterfeit version hosted by the attackers. This page typically triggers a certificate warning, prompting users to install what appears to be a Kaspersky antivirus, but which is actually malicious.
Once installed, ApolloShadow begins data exfiltration and attempts to escalate its privileges to fully compromise the device.
This surveillance campaign has reportedly been active since at least 2024 and represents a significant threat to organizations relying on local Russian internet infrastructure.
To mitigate risk, Microsoft advises users in high-risk environments to route traffic through encrypted channels such as VPNs or satellite-based communications systems that are outside the control of Kremlin-aligned entities. Similar techniques have previously been used against foreign ministries in Eastern Europe.
The warning underscores the continued need for secure, independent communications infrastructure when operating in adversarial environments.
