Microsoft Threat Intelligence has revealed the existence of a sophisticated cyberespionage operation led by the Russian state-affiliated actor known as Secret Blizzard—also tracked under aliases including Turla, Waterbug, and Venomous Bear. This campaign specifically targets foreign embassies and diplomatic personnel within Moscow, leveraging advanced adversary-in-the-middle (AiTM) tactics at the Internet Service Provider (ISP) level to facilitate the deployment of their custom ApolloShadow malware.
Campaign Overview
According to Microsoft’s findings, Secret Blizzard has gained unprecedented visibility and control over embassy communications by abusing Russia’s domestic lawful intercept infrastructure, commonly referred to as SORM. The group achieves initial access by intercepting network connections and presenting unsuspecting embassy staff with convincing, fake captive portals—interfaces typically encountered in public Wi-Fi settings at airports or hotels.
These malicious portals frequently impersonate security update pages from trusted vendors, such as Kaspersky Anti-Virus. Victims, believing the prompt is legitimate, are tricked into installing the ApolloShadow malware onto their devices.
The ApolloShadow Threat
Once installed, ApolloShadow enables Secret Blizzard to:
- Import rogue trusted root certificates, allowing the interception and manipulation of encrypted web traffic.
- Establish persistence, collecting credentials, authentication tokens, and other sensitive information from compromised systems.
- Escalate privileges and create administrative accounts, facilitating ongoing access and surveillance.
Operating at the ISP level, Secret Blizzard can monitor, intercept, and manipulate virtually all online activity from infected embassy devices. This grants them access to a vast array of confidential diplomatic communications and operations.
Strategic Implications
Microsoft’s attribution represents the first time Secret Blizzard’s activities have been tied to such comprehensive, ISP-level cyberespionage within Russian territory. By exploiting trusted software brands and users’ routine interaction with network prompts, the attackers significantly increase their success rate.
Secret Blizzard, believed to be affiliated with Center 16 of Russia’s Federal Security Service (FSB), is recognized for its advanced tradecraft and persistent intelligence operations targeting ministries of foreign affairs, embassies, defense sectors, and other high-value organizations worldwide. The group is known to reuse and adapt tools and infrastructure from other threat actors to enhance its stealth and reach.
Recommendations for Mitigation
Given the extent of local infrastructure compromise, Microsoft advises all diplomatic missions and sensitive organizations operating in Moscow to:
- Utilize secure encrypted connections (such as VPNs) that route traffic through trusted infrastructure outside Russian jurisdiction, where possible.
- Exercise increased caution regarding unexpected network prompts or certificate warnings—even those appearing to originate from reputable security vendors.
