Foreign embassies, diplomatic missions, and other sensitive organizations in Moscow are under sophisticated surveillance by FSB-linked hackers. To insert themselves in the middle and compromise victims, the attackers utilize the internet service provider (ISP) level access.
The Microsoft Threat Intelligence team promptly warned foreign organizations in Moscow that they’re under constant surveillance at the ISP level by hackers linked to Russia’s Federal Security Service (FSB, Center 16).
The threat actor, tracked as Secret Blizzard and also known as Turla, Venomous Bear, Uroburos, Snake, or Blue Python, deploys custom malware capable of installing a trusted root certificate and tricking victims’ devices into trusting malicious websites.
The attacks have been ongoing since at least 2024 and pose a high risk to foreign embassies, diplomatic entities, and sensitive organizations. No one who relies on local internet providers is safe.
The group has been using a technique known as adversary-in-the-middle (AiTM) to intercept internet traffic and collect intelligence.
“The Secret Blizzard AiTM position is likely facilitated by lawful intercept and notably includes the installation of root certificates under the guise of Kaspersky Anti-Virus,” Microsoft said in a report.
This means that attackers can break the TLS/SSL encryption used by the websites that victims visit. Almost all data, including credentials, access tokens, etc., can then be viewed in clear text.
Microsoft also warns that similar techniques were used in the past in Eastern Europe to infect foreign ministries. In these cases, users were tricked into downloading a trojanized Flash installer.
How does the malware get in?
ISP-level access enables hackers to redirect target devices. They display a fake login page, also known as a captive portal, similar to the ones used by airports or hotels when first connecting to the internet.
Once behind this step, a computer probes whether it has internet access using a legitimate Windows service, which should redirect to a specific website. But this doesn’t happen – the hackers redirect users to a separate site controlled by them. The malicious site likely displays a certificate validation error, prompting the victims to download and execute a malicious payload.
This way, the custom malware, which Microsoft dubbed ApolloShadow, is deployed.
ApolloShadow has a low-privilege execution path to exfiltrate information about the target, before attempting to gain administrative privileges by triggering standard Windows security prompts.
Ultimately, the malware installs fake security certificates, which enable hackers to decrypt and monitor communications.
Microsoft warns that to stay safe in Moscow, internet users must use secure connections, such as an encrypted tunnel or a virtual private network (VPN). The researchers recommend using independent infrastructure, such as a satellite-based provider not controlled or influenced by Kremlin-sponsored parties.
The US Cybersecurity and Infrastructure Security Agency (CISA) has previously warned that Russian FSB hackers use highly sophisticated malware for long-term espionage.
Your email address will not be published. Required fields are markedmarked