Russian hackers target local internet to spy on embassies in Moscow, Microsoft says

A major Russian cyberespionage unit is attempting to spy on foreign embassies in Moscow by targeting local internet and telecom infrastructure used by diplomatic personnel inside the nation’s capital city, according to findings released Thursday by Microsoft’s threat intelligence arm.

The group, dubbed Secret Blizzard, was observed in February deploying a spying program called ApolloShadow inside the systems of local telecom and internet service providers used by embassies, aiming to intercept sensitive intelligence produced by diplomats and other staffers, the report says.

The cyberspies are likely exploiting Russia’s “lawful intercept” architecture to seed the malware into internet and communications systems. Like many nations with developed telecom infrastructure, Russia’s lawful intercept programs require communications firms to engineer their systems for the government to be able to monitor phone and internet conversations.

The “adversary‑in‑the‑middle” attack involves redirecting targeted diplomatic devices behind a captive portal, a type of login page often seen at hotels or airports to facilitate use of public internet. Once placed behind the portal, Windows automatically launches its Connectivity Status Indicator, a legitimate service that checks for internet access by sending a request to a Microsoft site. 

But instead of connecting to Microsoft, the request is hijacked and redirected to a hacker‑controlled server, where victims are likely shown a fake certificate warning and prompted to surreptitiously download ApolloShadow.

To increase the chances of success, the attackers disguise the action as a Kaspersky antivirus installer. If approved, this process secretly installs malicious permissions that give the cyberintruders elevated privileges and the ability to access the victim’s secure communications.

Kaspersky is a major Russian cybersecurity company known for its antivirus products. It was blacklisted from the entire U.S. commercial market last summer just before several of its top leaders were sanctioned by the Treasury Department.

Despite the ongoing war in Ukraine, several Western nations, including the U.S., have diplomatic presence in Moscow. Microsoft does not name specific embassies or consulates targeted by Secret Blizzard.

Russia’s lawful intercept programs are governed by the System for Operative Investigative Activities, known as SORM, which first passed in 1995. SORM platforms are a part of a broad surveillance apparatus inside Russia, and several security agencies rely on SORM to eavesdrop on communications that cross the nation’s internet backbone.

But multiple rounds of Western sanctions imposed on Russia after its 2022 Ukraine invasion have slowed the nation’s ability to supply the hardware and software needed to maintain its SORM systems, according to 2023 research from Gavin Wilde, a former U.S. intelligence specialist on Russia and a nonresident fellow at the Carnegie Endowment for International Peace.

Still, the Kremlin appears to have been able to adapt to these obstacles. Secret Blizzard is deemed a top Russian government hacking unit and has been linked to Russia’s Federal Security Service, known widely as FSB. The hacking group’s activity has been spotted in some 50 nations across the world, a 2023 Cybersecurity and Infrastructure Security Agency advisory says.

“While we previously assessed with low confidence that the actor conducts cyberespionage activities within Russian borders against foreign and domestic entities, this is the first time we can confirm that they have the capability to do so at the Internet Service Provider (ISP) level,” the Microsoft findings note.

“This means that diplomatic personnel using local ISP or telecommunications services in Russia are highly likely targets of Secret Blizzard’s [adversary-in-the-middle] position within those services,” it adds.

Even as President Donald Trump has sought to swiftly bring Moscow to the negotiating table to end its war in Ukraine, the cyber operations aspects of the war appear to not have calmed.

A large-scale phishing campaign publicly uncovered in late March targeted defense, aerospace and IT companies that support Ukraine’s military, likely seeking to harvest credentials and sensitive intelligence about its war effort, Nextgov/FCW previously reported.

But Russian President Vladimir Putin is likely not controlling all cyber activity emanating from inside Russia’s borders, and instead grapples with a fragmented, bureaucratic system of overlapping hacking activities from intelligence agencies and criminal gangs, a May Atlantic Council paper argues.