Microsoft has revealed that a cyber-espionage group linked to Russia’s Federal Security Service (FSB) is conducting advanced attacks against foreign diplomatic missions in Moscow by exploiting local internet service providers (ISPs).
The threat actor, tracked by Microsoft as Secret Blizzard also known as Turla, Waterbug, and Venomous Bear has been observed using an adversary-in-the-middle (AiTM) position at the ISP level to deliver a custom malware strain called ApolloShadow.
According to Microsoft, the attackers intercept and redirect embassy staff and other high-value targets to deceptive captive portals.
These portals prompt victims to download what appears to be a legitimate Kaspersky antivirus update but is, in fact, a malware installer. Once executed, the malicious software adds a trusted root certificate, enabling the attackers to disguise harmful websites as safe, maintain persistence, and exfiltrate sensitive data.
“This is the first time we can confirm Secret Blizzard’s ability to perform espionage at the ISP level in Russia,” Microsoft stated, warning that any diplomatic personnel using local telecommunications networks in Moscow are at heightened risk.
While Microsoft detected the current wave of attacks in February 2025, the campaign has reportedly been active since at least 2024. Investigators believe the hackers are also exploiting Russia’s domestic interception framework, known as the System for Operative Investigative Activities (SORM), to scale their AiTM operations.
A Veteran Espionage Group with Unconventional Tactics
Secret Blizzard has been active since at least 1996, targeting embassies, government bodies, and research institutions in over 100 countries. The group has been linked to the FSB’s Center 16 and to the now-dismantled Snake cyber-espionage network, taken down in a joint operation by the Five Eyes intelligence alliance.
Turla’s past activities have included infiltrations against high-profile entities such as the U.S. Central Command, NASA, the Pentagon, several Eastern European ministries, the Finnish Foreign Ministry, and multiple EU governments. Known for their creativity, the hackers have hidden malware commands in Instagram photo comments, hijacked Iranian and Pakistani hacking infrastructure to mislead investigators, and targeted Ukrainian military networks connected to Starlink.
Microsoft’s findings underline the significant cyber risks for foreign embassies and sensitive organisations operating in Russia, especially those reliant on local ISPs for connectivity.
