Moscow-based diplomats under surveillance by Kremlin henchmen, reveals Microsoft, through reported misuse of Internet Service Providers.
In a recent cyber-espionage campaign, the Kremlin-backed group Secret Blizzard has been using a sophisticated tactic to target foreign embassies in Moscow. According to a report by Microsoft Threat Intelligence, the group is abusing local internet service providers' networks to intercept and redirect diplomatic internet traffic through malicious means.
This adversary-in-the-middle (AiTM) position is believed to be enabled by lawful intercept capabilities embedded within Russian ISPs or telecommunications providers, allowing Secret Blizzard to position themselves covertly between diplomatic users and their intended internet services.
The attackers use this access to reroute targeted embassy devices through fake captive portals that resemble legitimate login screens for internet access. When embassy personnel connect, they are tricked into installing a custom malware called ApolloShadow. This malware installs a trusted root certificate on the victims’ devices, making malicious actor-controlled sites appear trustworthy and enabling persistent surveillance and data exfiltration.
The campaign, which has been active since at least 2024, marks the first time Secret Blizzard has been confirmed to conduct ongoing cyber espionage at the ISP level inside Russia. The group, affiliated with Russia’s Federal Security Service (FSB), exploits its privileged access within ISPs to covertly spy on diplomatic entities that rely on local Russian internet providers for connectivity.
Microsoft and other cybersecurity researchers have revealed that Secret Blizzard’s use of these ISP-level AiTM attacks significantly increases the risk to foreign embassies, as it bypasses many conventional network defenses by exploiting the telecommunications infrastructure itself.
To protect against Kremlin spies, Microsoft recommends routing all traffic through an encrypted tunnel to a trusted network, not a local ISP. Alternatively, using a virtual private network (VPN) service provider, such as a satellite-based provider, is suggested. Personnel with access to sensitive data should use networks that are vetted and secured with end-to-end visibility.
Anyone sending and receiving super sensitive data should also use thoroughly vetted networks that are secured with end-to-end visibility. This approach allows the attackers to maintain long-term access to diplomatic systems, siphoning intelligence from sensitive networks inside foreign embassies physically located in Moscow.
Sources: - The Hacker News (2025-07-31): Secret Blizzard Deploys Malware in ISP-Level AiTM Attacks - Nextgov (2025-07-31): Russian Hackers Target Local Internet to Spy on Embassies - Infosecurity Magazine (2025-08-01): Secret Blizzard Targets Moscow-Based Embassies - The Record (2025-07-31): Russia FSB Turla Espionage at ISP Level
- The cybersecurity threat posed by Secret Blizzard is evident in their deployment of malware in ISP-level AiTM attacks, as reported by The Hacker News.
- The latest tactic used by Secret Blizzard, a Kremlin-backed group, involves exploiting Russian ISPs or telecommunications providers' lawful intercept capabilities for espionage purposes, as detailed in Microsoft Threat Intelligence's report.
- The ongoing cyber espionage campaign by Secret Blazzard, which is affiliated with Russia’s Federal Security Service (FSB), significantly elevates the risk for foreign embassies in Moscow, according to Microsoft, Nextgov, Infosecurity Magazine, and The Record.
