Russian cyberspies hit embassies in Moscow, Microsoft reports
A major Russian state-sponsored cyberespionage group, tracked by Microsoft Threat Intelligence as "Secret Blizzard," has been confirmed to be targeting foreign embassies in Moscow.
The group is employing a sophisticated "adversary-in-the-middle" technique to deploy its custom malware, "ApolloShadow," for intelligence collection.
This campaign, ongoing since at least 2024, is considered a high risk for diplomatic entities and other sensitive organizations operating within the Russian capital, especially those relying on local internet providers.
Microsoft's assessment confirms that Secret Blizzard possesses the capability to operate at the Internet Service Provider (ISP) level, suggesting that diplomatic personnel using local Russian ISPs or telecommunications services are highly likely targets.
Previously, Microsoft had assessed with low confidence that Secret Blizzard conducted cyberespionage within Russia's borders. This new confirmation of ISP-level capability means the group can position itself directly between networks to facilitate malicious activities.
Microsoft suggests this is likely aided by Russia's domestic intercept systems, such as the System for Operative Investigative Activities, given the large scale of these operations.
The ApolloShadow malware allows Secret Blizzard to install a trusted root certificate on targeted devices. This certificate can trick devices into trusting malicious, actor-controlled websites, enabling the cyberespionage group to maintain persistent access to diplomatic devices, presumably for intelligence gathering. In February 2025, Microsoft observed this technique specifically against foreign embassies in Moscow.
Secret Blizzard is identified by the United States Cybersecurity and Infrastructure Agency (CISA) as part of the Russian Federal Security Service (Center 16). The group is also known by various other names across the cybersecurity community, including VENOMOUS BEAR, Uroburos, Snake, Blue Python, Turla, Wraith, ATG26, and Waterbug.
Although the cyberespionage primarily targets entities within Russia, the recommended defense measures – including routing all traffic through encrypted tunnels or utilizing alternative, satellite-based internet providers not controlled by Russian infrastructure – are broadly applicable to mitigate similar cyber threats worldwide, according to Microsoft report.
