Russian APT Secret Blizzard Uses ISP-Level AitM Attacks to Target Foreign Embassies in Moscow

Microsoft has uncovered a cyberespionage campaign carried out by the Russian state-backed group Secret Blizzard, which has been targeting foreign embassies in Moscow using sophisticated Adversary-in-the-Middle (AitM) techniques at the Internet Service Provider (ISP) level.

Active since at least 2006, Secret Blizzard—also known by aliases like Turla, Krypton, Venomous Bear, and Waterbug—has a long history of espionage operations on behalf of Russia’s Federal Security Service (FSB). This marks the first confirmed instance where the group has demonstrated the ability to operate at the ISP level within Russia.

According to Microsoft, the threat actors used domestic surveillance tools such as SORM (System for Operative Investigative Activities) to gain privileged positions within ISPs. From there, they launched AitM attacks that enabled them to deliver custom malware, identified as ApolloShadow, to devices used by diplomatic staff.

How the Attack Works

The campaign involved redirecting users behind a captive portal, a common method used to manage network access. During this process, users were tricked into initiating a network test, which ultimately led to a malicious domain under the attackers’ control. There, they encountered a certificate error—a ruse that triggered the deployment of ApolloShadow and the installation of a fake Kaspersky root certificate, granting elevated privileges on the target system.

Once installed, ApolloShadow attempts to:

  • Bypass User Access Control (UAC) if running under limited privileges.
  • Gain administrative access by manipulating user trust.
  • Change system settings to mark all networks as private, enabling device discovery and file sharing.
  • Install root certificates using certutil, clean up artifacts, and configure Firefox to trust the malicious certs.
  • Create a persistent admin user named UpdatusUser with a hardcoded, non-expiring password.

Who Is at Risk?

Microsoft warns that any diplomatic personnel using local ISPs or telecom services in Russia are likely targets of this campaign. This highlights the growing risks of relying on untrusted or unencrypted infrastructure in high-risk geographies.

Recommendations for Protection

To defend against this and similar threats, Microsoft and other cybersecurity experts recommend:

  • Using encrypted tunnels or reputable VPNs to route all network traffic.
  • Applying the principle of least privilege across systems.
  • Enabling Multi-Factor Authentication (MFA).
  • Monitoring and auditing privileged account activity regularly.
  • Blocking execution of unauthorized scripts and executables.
  • Ensuring endpoint protection solutions are up to date and active.

This incident underscores the advanced capabilities of nation-state actors and the urgent need for robust security strategies—especially for organizations operating in geopolitically sensitive areas.

Source: https://www.securityweek.com/russian-cyberspies-target-foreign-embassies-in-moscow-via-aitm-attacks-microsoft