News Feed

Russian cyberspies hit embassies in Moscow, Microsoft reports

2 min read
Russian cyberspies hit embassies in Moscow, Microsoft reports
Illustrative photo of a man at a computer next to a Russian flag. (Bill Oxford via Getty Images)

A major Russian state-sponsored cyberespionage group, tracked by Microsoft Threat Intelligence as "Secret Blizzard," has been confirmed to be targeting foreign embassies in Moscow.

The group is employing a sophisticated "adversary-in-the-middle" technique to deploy its custom malware, "ApolloShadow," for intelligence collection.

This campaign, ongoing since at least 2024, is considered a high risk for diplomatic entities and other sensitive organizations operating within the Russian capital, especially those relying on local internet providers.

Microsoft's assessment confirms that Secret Blizzard possesses the capability to operate at the Internet Service Provider (ISP) level, suggesting that diplomatic personnel using local Russian ISPs or telecommunications services are highly likely targets.

Previously, Microsoft had assessed with low confidence that Secret Blizzard conducted cyberespionage within Russia's borders. This new confirmation of ISP-level capability means the group can position itself directly between networks to facilitate malicious activities.

Microsoft suggests this is likely aided by Russia's domestic intercept systems, such as the System for Operative Investigative Activities, given the large scale of these operations.

The ApolloShadow malware allows Secret Blizzard to install a trusted root certificate on targeted devices. This certificate can trick devices into trusting malicious, actor-controlled websites, enabling the cyberespionage group to maintain persistent access to diplomatic devices, presumably for intelligence gathering. In February 2025, Microsoft observed this technique specifically against foreign embassies in Moscow.

Secret Blizzard is identified by the United States Cybersecurity and Infrastructure Agency (CISA) as part of the Russian Federal Security Service (Center 16). The group is also known by various other names across the cybersecurity community, including VENOMOUS BEAR, Uroburos, Snake, Blue Python, Turla, Wraith, ATG26, and Waterbug.

Although the cyberespionage primarily targets entities within Russia, the recommended defense measures – including routing all traffic through encrypted tunnels or utilizing alternative, satellite-based internet providers not controlled by Russian infrastructure – are broadly applicable to mitigate similar cyber threats worldwide, according to Microsoft report.

‘No other option’ — Russian state media article demands no Ukrainians ‘be left alive’
In a piece titled “There is no other option: no one should be left alive in Ukraine,” columnist Kirill Strelnikov repeats Kremlin propaganda lines, including the claim that Ukraine is a “military training ground” for the West and that Ukrainians are mere pawns of the U.S. and Europe.
Article image
Avatar
Olena Goncharova

Head of North America desk

Olena Goncharova is the Head of North America desk at The Kyiv Independent, where she has previously worked as a development manager and Canadian correspondent. She first joined the Kyiv Post, Ukraine's oldest English-language newspaper, as a staff writer in January 2012 and became the newspaper’s Canadian correspondent in June 2018. She is based in Edmonton, Alberta. Olena has a master’s degree in publishing and editing from the Institute of Journalism in Taras Shevchenko National University in Kyiv. Olena was a 2016 Alfred Friendly Press Partners fellow who worked for the Pittsburgh Post-Gazette for six months. The program is administered by the University of Missouri School of Journalism in Columbia.

Read more
News Feed
Show More