A sophisticated cyber-espionage campaign orchestrated by a state-sponsored Russian hacking group is targeting foreign embassies in Moscow, according to new research from Microsoft. The report reveals a new and alarming tactic: the group, known as “Secret Blizzard” or “Turla” and believed to be linked to Russia’s Federal Security Service (FSB), is actively abusing its control over local Internet Service Providers (ISPs) to intercept and compromise diplomatic communications.
The campaign, which has been active since at least 2024, represents a significant escalation in state-sponsored hacking. Microsoft’s analysis is the first to confirm with high confidence that Turla is conducting espionage at the ISP level within Russia’s borders. This gives the group the ability to manipulate internet traffic, blurring the line between passive surveillance and direct intrusion.
The method of attack is a clever “adversary-in-the-middle” (AiTM) technique. The hackers use their ISP-level access to redirect the internet traffic of targeted diplomatic devices. This redirection leads to a fake “captive portal” page, similar to what one might see in a hotel or airport Wi-Fi login. Victims are then prompted to download a malicious software package, often disguised as a legitimate Kaspersky antivirus update, which installs custom malware called “ApolloShadow.”
Once installed, ApolloShadow gives the attackers a persistent foothold on the diplomat’s device, allowing them to collect intelligence, steal data, and disable encryption. This effectively exposes a wide range of sensitive information, from Browse history to credentials, in clear text. Microsoft’s threat intelligence team warns that this campaign poses a “high risk” to foreign embassies and other sensitive organizations that rely on local internet providers in Moscow.
The findings highlight the significant security risks for diplomatic personnel operating in countries with state-aligned internet infrastructure. Cybersecurity experts now recommend that all embassies and diplomatic missions in such locations route their traffic through encrypted tunnels or use a trusted VPN service to mitigate the risk of these advanced and intrusive cyber-espionage tactics
![Online Scam Cases Continue to Rise Despite Crackdowns on Foreign Fraud Networks [Myanmar]](https://sumtrix.com/wp-content/uploads/2025/06/30-12-120x86.jpg "Online Scam Cases Continue to Rise Despite Crackdowns on Foreign Fraud Networks [Myanmar]")
