Microsoft: Kremlin monitors foreign embassies in Moscow through cyber-espionage at ISP level

The Russian government is monitoring foreign embassies in Moscow by installing malware through its control of local internet service providers (ISPs), according to new research from Microsoft. 

The ongoing cyber-espionage campaign has been active since at least 2024 and was launched by a group Microsoft calls Secret Blizzard. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has previously said the group is housed within Center 16 of the Russian Federal Security Service (FSB).

The tech giant added that this is the first time it has confirmed that Secret Blizzard, also tracked as Turla, has the capability to conduct espionage activities at the ISP level. 

In a blog post on Thursday, Microsoft said it first saw the spies using an adversary-in-the-middle (AiTM) technique to deploy the ApolloShadow malware against foreign embassies in February 2025 — allowing them to collect intelligence from diplomatic entities and maintain access to systems. 

AiTM is when a threat actor positions themselves between multiple networks in a way that facilitates further actions. Microsoft theorized that in this case, Secret Blizzard is using lawful intercepts at the ISP or telecommunications level inside Russia to enable its access to foreign embassy systems. 

“This means that diplomatic personnel using local ISP or telecommunications services in Russia are highly likely targets of Secret Blizzard’s AiTM position within those services,” Microsoft said.

The company added that the group “likely leverages Russia’s domestic intercept systems such as the System for Operative Investigative Activities (SORM), which we assess may be integral in facilitating the actor’s current AiTM activity, judging from the large-scale nature of these operations.”

“Secret Blizzard has exhibited similar techniques in past cyberespionage campaigns to infect foreign ministries in Eastern Europe by tricking users to download a trojanized Flash installer from an AiTM position,” the researchers said. 

ApolloShadow, Witkoff and Belarus

Secret Blizzard uses its AiTM position to redirect target devices and put them behind captive portals — which are legitimate web pages that manage network access. You typically see these kinds of pages when you try to login to the Wi-Fi at a hotel, airport or cafe. 

Visitors are then routed to a separate domain controlled by the group that prompts them to unknowingly download the ApolloShadow malware. Parts of the malware masquerade as a Kaspersky antivirus installer that allows the attacker to gain elevated privileges in the system, according to Microsoft.

The malware makes several changes, including relaxing firewall rules to enable file sharing. Microsoft noted that while its researchers did not see direct attempts by Secret Blizzard to move laterally around a system, many of the changes made by ApolloShadow are “likely to reduce the difficulty of lateral movement on the network.”

Microsoft warned that the campaign poses significant risk to foreign embassies, diplomatic entities and other organizations operating in Moscow, especially those that rely on local internet providers. Organizations operating in Russia should use a virtual private network (VPN) service provider or route all traffic through encrypted tunnels to trusted networks or alternative providers.

The Microsoft research comes just months after concerns were raised about how the Trump administration is handling sensitive communications in Russia. President Donald Trump's Ukraine and Middle East envoy Steve Witkoff was in Moscow meeting with Russian President Vladimir Putin during the Signal chat incident in March.

U.S. officials later claimed Witkoff did not have any of his personal or government-issued phones with him while in Moscow. White House spokesperson Karoline Leavitt said at the time that Witkoff was allowed to use a "classified protected server by the United States government, and he was very careful about his communications when he was in Russia."

In 2023, cybersecurity researchers at ESET attributed a similar ISP-oriented campaign to Russian ally Belarus. Foreign embassies there were being targeted by hackers looking to steal documents, record audio and track victims’ keystrokes. 

The campaign was nearly identical, with the Belarusian group using AitM tactics as well as captive portals and exploiting local ISPs to gain access to at least four embassies. 

In ESET’s report at the time, the researchers said they found ties between the Belarusian threat actors and Secret Blizzard, noting that the “AitM scenario reminds us of the Turla and StrongPity threat actors, who have trojanized software installers on the fly at the ISP level.”

'Collapsing the boundary'

Secret Blizzard has been heavily involved in Russia’s war against Ukraine and is known for stealing politically significant information, particularly advanced research that might influence international political issues.

The group has a history of targeting ministries of foreign affairs, embassies, government offices, defense departments and defense-related companies worldwide.

Sherrod DeGrippo, director of threat intelligence strategy at Microsoft, told Recorded Future News that once a state actor successfully operationalizes a tactic — particularly one tied to infrastructure they control — it often enters the playbook for future operations.

She warned that other countries with state-aligned telecom access, such as China, Iran or North Korea, may adopt similar AiTM tradecraft, especially for espionage within their borders.

“Russia itself may reuse or expand this campaign depending on its intelligence objectives. This campaign is emblematic of how state-sponsored groups are collapsing the boundary between ‘passive surveillance’ and ‘active intrusion,’” she said.

“It’s a shift from watching traffic to actively modifying it to gain a foothold on target systems, likely signaling broader integration between surveillance and offensive operations within state-sponsored actor group’s toolkits.”

Microsoft Threat Intelligence previously shared findings on Secret Blizzard in December, noting that the group exploited the servers of Pakistani threat actors to target organizations in South Asia.