Aug 01, 2025 12:00:00

Russian cyber espionage group 'Secret Blizzard' uses man-in-the-middle attacks to install malware on embassy devices

Microsoft Threat Intelligence, a Microsoft security team, has reported that the Russian government-backed cyber espionage group 'Secret Blizzard' is using Internet service providers (ISPs) to launch

man-in-the-middle attacks against foreign embassies in Moscow.

Frozen in transit: Secret Blizzard's AiTM campaign against diplomats | Microsoft Security Blog
https://www.microsoft.com/en-us/security/blog/2025/07/31/frozen-in-transit-secret-blizzards-aitm-campaign-against-diplomats/

Microsoft: Kremlin monitors foreign embassies in Moscow through cyber-espionage at ISP level | The Record from Recorded Future News
https://therecord.media/russia-fsb-turla-espionage-foreign-embassies-isp-level

Microsoft catches Russian hackers targeting foreign embassies - Ars Technica
https://arstechnica.com/information-technology/2025/07/microsoft-catches-russian-hackers-targeting-foreign-embassies/

Secret Blizzard is one of the world's most active state-sponsored hacking groups, operating as an organization affiliated with the Russian Federal Security Service since at least 1996. Microsoft has now reported that Secret Blizzard is targeting devices at various embassies in Moscow, launching man-in-the-middle attacks using ISPs in Russia.

The objective of these man-in-the-middle attacks is to install custom malware called 'ApolloShadow' on the victim's device, which installs TLS root certificates on the infected device, disguising malicious websites as known, trusted websites.

The man-in-the-middle attack methods confirmed by Microsoft are as follows:

Secret Blizzard uses ISPs to redirect target devices to

a captive portal that is displayed when attempting to access the internet.
- Directing users to another domain controlled by Secret Blizzard.
- Displays certificate validation errors on the domain and prompts users to install ApolloShadow on their devices.
- Check whether ApolloShadow has system permissions to install root certificates.
-If it determines that the device is not running with default managed settings, it displays a popup prompting the user to install a certificate with the file name CertificateDB.exe.
CertificateDB.exe disguises itself as a Kaspersky installer to install a root certificate and Secret Blizzard performs privilege escalation within the system.

After gaining privilege escalation, ApolloShadow makes several changes to the device's network, such as relaxing firewall rules to allow file sharing. While Microsoft has not confirmed any direct lateral movement by Secret Blizzard, it believes these changes are intended to reduce the difficulty of lateral movement.

According to Microsoft, this is the first time that Secret Blizzard has been identified as conducting ISP-level cyberespionage operations. 'This means that diplomats who use ISPs or telecommunications services in Russia are highly likely to be targeted by Secret Blizzard's man-in-the-middle attacks on those services,' the company said.

The man-in-the-middle attacks identified in this study pose a significant risk to organizations using ISPs in Russia, and Microsoft has advised organizations operating in Russia to tunnel their traffic to connect to a trusted ISP or use an alternative provider, such as satellite internet.